EU-US data export after Schrems: a plan of action for businesses

The Court of Justice of the EU (CJEU) ruling in the Schrems v Facebook case invalidated the EU-US Safe Harbor framework on October 6, 2015. The 15-year old Safe Harbor arrangement had allowed US companies to certify that they handle the personal data they receive from the European Economic Area and Switzerland in accordance with the Safe Harbor framework.

The practical effect of the CJEU’s landmark decision remains unclear, as the EU and US regulators, EU Member States’ national data protection authorities (DPAs) and governments across the Atlantic continue to formulate their response to the crisis and to work towards a solution. While there are reports that the US and EU have agreed in principle to a new cross-border data transfer framework, it faces significant barriers in being finalized and approved by the DPAs.

At an event at the London office of global law firm Norton Rose Fulbright held earlier today, leaders of the firm’s global data protection, privacy & cybersecurity practice outlined the latest guidance on cross-Atlantic data transfers.

Boris Segalis, the US co-chair of the firm’s data protection, privacy and cybersecurity practice, remarked:

“There have been reports that the EU and US have reached an agreement in principle on the revised cross-border data transfer framework, commonly referred to as Safe Harbor II. But a number of challenges remain. Every EU member state DPA has the authority to make its own determination of adequacy with respect to any new framework. This means that a political solution is likely to be necessary to give any new framework pan-European acceptance, and the certainty that is required for US companies to invest resources in complying with the new framework. I am optimistic that the US and EU will come together to solve this crisis in the spirit of cooperation. It seems that all key stakeholders, including the European Commission, understand the vital importance of uninterrupted cross-border data transfers to the economies on both sides of the Atlantic. I am certain that these economic interests must and can be balanced with appropriate respect for the privacy rights of European citizens.”

Marcus Evans, the European lead of the data protection, privacy and cybersecurity practice, commented:

“Other options to legitimise transfers outside the EEA, include relying on derogations such as consent, putting in place EU Commission approved model clauses, or adopting binding corporate rules. The Schrems ruling has complicated this analysis, but unless businesses move to keeping their personal data within the EEA, until Safe Harbor 2.0 is adopted, it is clear that they must now engage with that analysis and choose an appropriate one of these options (all of which take some time to implement fully).”

For further information please contact:

Louise Nelson, Senior PR Manager
Tel: +44 (0)20 7444 5086; Mob: +44 (0)7909 684893
louise.nelson@nortonrosefulbright.com

Notes for editors:

Norton Rose Fulbright

Norton Rose Fulbright is a global law firm. We provide the world’s pre-eminent corporations and financial institutions with a full business law service. We have more than 3800 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.

Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.

Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.

For more information about Norton Rose Fulbright, see nortonrosefulbright.com/legal-notices.