27 November 2015

Safe Harbor: Where are we two months on?

It has been nearly two months since the European Court of Justice declared the Safe Harbor Agreement, a pact that allowed data transfers between the EU and the US, invalid.

The landmark ruling has created considerable uncertainty for the thousands of businesses who rely on Safe Harbor as the basis for the transfer of personal data to the US. How can they continue to do so while still complying with EU data protection laws?

The solution to the problem will depend on a number of local and regional factors, as well as circumstances particular to the business concerned, since we are already seeing a number of different approaches from the relevant authorities. To take just three:


The UK ICO is advising companies to take stock of their arrangements to ensure adequate protection for personal data, which it admits is “no easy task”, and consider what alternatives they might use. Taking a pragmatic approach, it has confirmed that Safe Harbor was just one of the available legal bases for EU-US transfers of personal data and that the ECJ ruling does not affect the use of “model clauses” or the use of Binding Corporate Rules (“BCRs”).


The German Data Protection Authorities have adopted a far more restrictive approach. In a joint statement, they announced that they will order companies to cease data transfers to the US which rely on Safe Harbor. In addition, they have questioned the legality of BCRs and the model clauses. For the time being, they will not approve new BCRs so it will not be an option for German companies without existing BCRs to now implement them. A couple of Data Protection Authorities, in particular in Northern Germany, have even called on companies to suspend arrangements relying on model clauses.

Article 29 Working Party

This highly influential working party made up of representatives of data protection authorities of all 28 EU member states takes a position somewhere between the UK and German data protection authorities. The Article 29 Working Party has stated that if a solution, such as “Safe Harbor 2”, is not reached with the US Government by 31 January 2016, EU Data Protection Authorities will take all necessary and appropriate actions, which may include coordinated enforcement.

Meanwhile the European Commission has announced the stepping up of its negotiations with the US on Safe Harbor 2 and its aim to conclude these within three months. It also confirmed that alternative methods of transferring personal data outside the EU are open to challenge before the courts and that national data protection authorities must investigate complaints. Where employee data transfer is involved, the stakes are particularly high: serious data protection breaches are likely to also breach employment obligations and could trigger claims by employees, separate from any enforcement action by regulators.

Compliance with data protection laws is a key business risk and our dedicated Data Protection teams are on hand to guide businesses through these realms of uncertainty. As a global law firm with in-depth knowledge at a local level, we can help your business whatever its jurisdiction to identify and put into place the optimal proportionate solution to cover the current situation. Once the General Data Protection Regulation is in agreed form – it is expected to be finalised in the next few months and come into force two years after that - we can advise your business on what further arrangements may be needed.

Now is the time to act. Businesses that have turned a blind eye to the formalities of international data transfer or used unreliable mechanisms such as contractual consents should realise that the risk profile of non-compliance has now changed dramatically, with this issue now firmly on the enforcement agenda and on employees’ radar too. And if your business relies on Safe Harbor, you only have around two months to put alternative arrangements in place.

Data Central

Have you checked out our new Data Hub? Data Central contains a range of resources to help our clients minimise the legal, regulatory and commercial risks this data-driven environment presents and ensure that its full value is being realised.

A Guide to Doing Business in China

We explore the key issues being considered by clients looking to unlock investment opportunities in the People’s Republic of China.

Doing Business in China
Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    Fraud is a clear and present danger in Foreign Invested Enterprises. Curiously, the problems seem to be more severe in WFOEs than JV's In this episode of "China: the Art of Law" KWM Partner Mark...

    02 October 2020

    What is the best way to overcome the difficulties of setting up a business in China? How should you structure your business? KWM Partner Mark Schaub explores these questions and more in the webinar...

    16 September 2020

    On 9th July 2020, the UK Government published the Companies (Shareholders’ Rights to Voting Confirmations) Regulations 2020 (the “Regulations”)

    08 September 2020

    What is the best way to overcome the difficulties of setting up a business in China? How should you structure your business? KWM Partner Mark Schaub explores these questions and more in the webinar...

    02 September 2020

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.