Data protection and the Safe Harbor may no longer go hand-in-hand when it comes to data transfers between the U.S. and EU.  As a refresher, the Safe Harbor program is basically an agreement between the US Dept. of Commerce and European regulators that allows US businesses to “self-certify” that their data protection standards meet those of European regulators.  It was invalidated on October 6, 2015.  Companies scrambled.  General Counsel sought the advice of outside counsel and data privacy and protection experts.  Start-ups and smaller entities read the copious amounts of commentary, many of which said that U.S.- based service providers certified under Safe Harbor to receive personal data from European customers will need to provide alternative assurances for those customers to be able to use their services lawfully. This would include vendors providing data hosting, storage, cloud solutions, SaaS, data analytics and social networks, and a range of other businesses that have built their data transfer models on Safe Harbor.

The one saving grace, however, was that a Safe Harbor 2.0 was supposedly coming.  Today, it appears that it may not.  The January 31st deadline has come and gone, without a Safe Harbor 2.0.  So, now things remain in legal purgatory for the U.S. Tech Sector.

If a company has not already implemented, or considered implementing, alternatives to mitigate against data privacy, data transfer and data protection issues with individual EU member countries, it may be time to reconsider doing so.  It is important to recognize that such efforts must pertain to both customer data as well as employee data (HR purposes), with Standard Contractual Clauses (SCCs) or Binding Corporate Rules controlling specific kinds of data transfers.  Adding express consent to the transfer of relevant personal data to the United States may not be enough or impractical for a company.  For some, hosting such data entirely in the EU may even be an option, and one that could bypass this uncertainty.  Rest assured, however, data protection compliance is not going away.