The Court of Justice of the European Union has today declared that the Safe Harbour framework agreement approved by the EU Commission is invalid and that it cannot be relied upon for transfers of personal data to the US. The court found that the Commission Decision 2000/520/EC establishing the ‘adequacy’ of the Safe Harbour certification system, is invalid
Those businesses currently relying on US suppliers which have signed up to the US safe harbour arrangements relying on the decision will need to consider alternative protections to safe guards rights and freedoms of individuals when transferring personal data such as of customers, employees or prospects to the US. This could include exploring other options such as seeking reliance on consent or approved contractual clauses.
Those involved with hosting, cloud or providers of IT services or simply transferring personal data to the US via websites or platforms should consider undertaking a review of the service providers involved.
Continuing to transfer could constitute a breach of Principal 8 of the Data Protection Act 1998 and EU legislation.
For more information see the attached press release from the EU Commission http://europa.eu/rapid/press-release_STATEMENT-15-5782_en.htm