Executive Briefings

Framework Permitting Transfer of Employees' Personal Data from Europe to U.S. Declared Illegal

In a landmark decision on data protection, the European Court of Justice's decision in Schrems v. Data Protection Commissioner last month struck down the agreement companies have relied on for 15 years to legally transfer the personal information of EU employees and customers back to the United States.

Framework Permitting Transfer of Employees' Personal Data from Europe to U.S. Declared Illegal

In ruling that the Safe Harbor framework is now illegal, the court expressed particular concern with the ability of U.S. intelligence agencies to access personal information and found that the longstanding provision insufficiently protected EU citizens' personal data.

This judgment affects any company relying on the Safe Harbor program to validly transfer personal data, such as payroll and HR information, across the Atlantic. It will also have an immediate impact on how companies conduct internal investigations of misconduct in the EU.

Although a brief grace period has been granted before enforcement begins, this decision will leave companies scrambling as they consider their options for legal data transfers.

Under the European Commission’s Data Protection Directive, companies that export the personal information of EU citizens are required to provide privacy protection consistent with EU standards. The Safe Harbor framework developed by the Department of Commerce and European Commission allowed U.S. companies to self-certify, subject to enforcement by the Federal Trade Commission, that they adequately complied with EU privacy standards and would protect EU data in the United States. Thousands of companies, in particular smaller companies, relied on this agreement to operate in the EU.

Read Full Article

In ruling that the Safe Harbor framework is now illegal, the court expressed particular concern with the ability of U.S. intelligence agencies to access personal information and found that the longstanding provision insufficiently protected EU citizens' personal data.

This judgment affects any company relying on the Safe Harbor program to validly transfer personal data, such as payroll and HR information, across the Atlantic. It will also have an immediate impact on how companies conduct internal investigations of misconduct in the EU.

Although a brief grace period has been granted before enforcement begins, this decision will leave companies scrambling as they consider their options for legal data transfers.

Under the European Commission’s Data Protection Directive, companies that export the personal information of EU citizens are required to provide privacy protection consistent with EU standards. The Safe Harbor framework developed by the Department of Commerce and European Commission allowed U.S. companies to self-certify, subject to enforcement by the Federal Trade Commission, that they adequately complied with EU privacy standards and would protect EU data in the United States. Thousands of companies, in particular smaller companies, relied on this agreement to operate in the EU.

Read Full Article

Framework Permitting Transfer of Employees' Personal Data from Europe to U.S. Declared Illegal