As the European Court of Justice has ruled the safe harbour agreement invalid, I spoke to Mark Lomas, senior consultant within Capgemini’s cybersecurity practice, to find out what this means for organisations on both sides of the Atlantic.
Mark LomasHe commented: “The EU-US Safe Harbour agreement was a political compromise to allow the transfer of personal data from the European Union to the United States.  As an agreement, it is inherently unsafe and this has now been recognised by the European Court of Justice with its ruling today. We expect that any transfers of personal data to the US that do not have an alternative legal basis like model clauses, binding corporate rules or data subject consent are now prohibited. In practice, the Information Commissioner and other European counterparts should allow a grace period to rectify this, although it will be interesting to read any legal basis they might suggest to authorise this.
“What it ultimately means is that US organisations have two options, firstly some may choose to supply services from within the European Economic Area (EEA) – as Microsoft do with Azure in the Netherlands and Amazon Web Services from Ireland.
“Secondly, those that want to continue providing services from the US to Europe would be well advised to document their security controls in a template version of the model clauses so that they are ready for contract negotiation.
“On the customer side, European businesses need to review the legal basis for cross-border data transfers to ensure that the right safety and privacy controls are in place with their supplier.”
“The ruling also makes clear that supervisory authorities such as the Information Commissioner have the power to rule that a ‘third country’ such as the US does not ensure an adequate level of protection even if this is contrary to a finding from the European Commission.”
The full ruling is available to read here