Much has understandably been said and written recently about the Schrems judgment of 6 October 2015 in which the ECJ declared invalid the Safe Harbour arrangements between the EU and the US.
Safe Harbour was based on a set of seven principles, together with 14 FAQs. By signing up, and thereby undertaking to adhere to those principles and the FAQs, US companies could ensure that they were recognised as being compliant with European data protection legislation. Accordingly, entities based in the EEA could transfer personal data to Safe Harbour companies without falling foul of the European data protection regime. Following Schrems and the declaration of invalidity, there is no small degree of uncertainty among those who had previously relied on Safe Harbour to ensure their transfers of personal data to the US were legal.
The invalidation was not necessarily a big shock. In the light of the Edward Snowden revelations, the European Commission had already made known to US authorities its concerns and had been holding talks with them since 2013 in relation to what is being widely referred to as "Safe Harbour II". There are some fundamentally difficult issues to resolve, specifically the broad-ranging ability to access personal data by US security agencies and the inability of non-US citizens to seek redress in US courts for privacy breaches by US companies. The general feeling however, is that the respective authorities will probably be able to reach an agreement by the end of January 2016 (so shortly after the expected announcement on the finalising of the new General Data Protection Regulation).
There are still other ways lawfully to transfer personal data to the US, including on the basis of consent, using the Standard Contractual Clauses and, for multinationals, the Binding Corporate Rules regime.
We live in a time of significant flux and data controllers and processors need to be on their toes to ensure they observe best practice.