Safe Harbor - companies should change to EU standard contracts

The ruling of the Court of Justice of the European Union ("ECJ") on the Safe Harbor privacy principles has created uncertainty about how companies are to proceed in respect of the transfer of personal data to the United States. Plesner recommends that companies enter into agreements based on the EU Commission's standard contracts. As far as companies having activities in several Nordic countries are concerned we have together with our Nordic colleagues prepared an overview of the various procedures in Denmark, Sweden, Norway and Finland.

Due to the ECJ's ruling in the Schrems case (C-362/14) companies can no longer use the special Safe Harbor principles as a basis for transferring personal data to the United States. The ruling has created uncertainty about what Danish companies are to do when transferring personal data to the United States.

The ruling will have consequences for companies transferring personal data to the United States, for instance all companies transferring data relating to clients, employees or other persons to their head offices, subsidiaries or sub-suppliers of cloud services etc in the United States based on Safe Harbor rules will be affected. Accordingly, HR systems, whis-tleblower arrangements, customer databases etc will be affected by the ruling.

The EU and the United States are negotiating the implementation of new and lawful Safe Harbor principles. When and if the negotiations result in an agreement, the European Commission can issue a new Safe Harbor decision based on such agreement that Danish companies may use when transferring personal data to the United States.

Information from the Danish Data Protection Agency

The Danish Data Protection Agency has published information about the Safe Harbor ruling in reply to the uncertainty among Danish companies.

It is an important element of the information that if an agreement on new Safe Harbor principles has not been concluded with the American authorities by the end of January 2016, the Danish Data Protection Agency and the other European data protection agencies will "take necessary and appropriate enforcement action". It is not specified which en-forcement action will be taken by the Danish Data Protection Agency and the other Euro-pean data protection agencies.

However, there are many indications that a solution will not be found before the expiry of the deadline on 31 January and the Danish Data Protection Agency and Plesner therefore recommend that instead an agreement be concluded already now with the American recip-ient of such information based on the European Commission's standard contracts.

Read the information published by the Danish Data Protection Agency

Joint Nordic overview

Companies having activities in the Nordic countries should in particular note that the Nordic data protection agencies do not have the same procedures for transfers to the United States in all situations. Therefore it is important to establish which Nordic party is the data controller and actually makes the transfer to the United States.

Plesner is in regular contact with colleagues in the other Nordic countries in respect of the Safe Harbor principles and we are able to arrange for personal data advice from the Nor-dic countries to companies in need of such advice.

In collaboration with law firms in Sweden, Norway and Finland we have prepared an over-view of the procedures relating to the transfer of personal data in the four countries.

Read "Nordisk tilgang til EU-USA dataoverførsler efter Safe Harbor-dommen" in Danish.

Latest news on Data Protection Law

Data Protection Law