By now, many of you have heard about the case that has called into question the European Union Data Protection Safe Harbor program. In Schrems v. Data Protection Commissioner, the Court of Justice of the European Union (“CJEU”) invalidated the presumption that voluntary participation in the Safe Harbor program provides adequate protection of data being transmitted from the EU to the United States. The CJEU decision now requires Data Protection Authorities (DPA) for each European Union (EU) country to make a determination regarding whether each data transfer does or does not offer adequate protection.
Select International is one of 4,400 U.S. companies certified under the U.S.-EU Safe Harbor Framework, which provides guidance for U.S. organizations on how to provide adequate protection for personal data from the EU as required by the European Union's Directive on Data Protection. The CJEU decision did not focus on the specific privacy practices in the Safe Harbor Framework but, rather, eliminated the presumption that compliance is sufficient.
The U.S. Department of Commerce, which oversees the Safe Harbor framework in conjunction with the Federal Trade Commission, has stated its disappointment in the decision and its willingness to work with the European Commission to address uncertainty created by the court decision. It has encouraged the release of the updated Safe Harbor Framework as soon as possible.
Select continues to maintain robust and comprehensive programs, and policies and procedures, to protect personal data. This has not changed. We believe that compliance with the E.U. Data Protection Safe Harbor framework provides the foundation for the protection and appropriate use of data, and like all companies that move data from the EU to the U.S., we are monitoring the situation and hoping for further guidance, including a new version of the Safe Harbor program. In light of the CJEU decision, we are reviewing all of our privacy policies and practices, and contractual provisions. We will be working closely with our clients to ensure the privacy of personal data and are actively developing a strategy to provide clients with a valid basis for the transfer of any personal information, should any DPA require it.
If you have specific questions, feel free to contact us.