As expected, the Court of Justice of the European Union (“CJEU“) has declared EU-US Safe Harbor protocol to be invalid.
The implications of this judgment are potentially wide-ranging and still being digested, and the precise parameters of the impact is expected to become clearer as additional guidance is provided by EU regulators. Initial responses from Silicon Valley (including Microsoft, AirBnB and Facebook, as reported recently by the BBC) have been robust – from Microsoft’s “For…enterprise cloud customers, we believe the clear answer is “yes” they can continue to transfer data by relying on additional steps and legal safeguards we have put in place,” to AirBnB’s “this ruling does not have significant impact on us.”
As well as the household names above, many pre-employment background screening companies, HireRight included, have in the past relied on Safe Harbor to effect transfers of data from the EU to the US. However, like many other companies, HireRight’s position is that Safe Harbor is not the only legal means that may be relied upon for such transfers to remain valid. For example, if a HireRight client uses HireRight’s standard disclosure forms, then express consent is obtained from their EU-screened candidates authorizing the transfer of their personal data outside of the EEA; HireRight also has historically incorporated EU Model Clauses into their services agreements when requested.
For the future and as companies await further guidance, the Safe Harbor 2.0 negotiations continue, though there is no real visibility as to timescale for likely finalisation. What is certain, is that transfers of personal data between the EU and the US will continue, and regulators will be expecting organisations that historically have relied on Safe Harbor to put in place alternative solutions and to ensure that these flow down through the data processing chain.
HireRight considers itself to be in a strong position to respond swiftly to these changes, and will work with its EU Data Controller clients to facilitate compliance with the new data transfer regime as it develops.