As all of our readers know by now, as of October 6, the US-EU Safe Harbor Framework is no more. Safe Harbor was the mechanism on which thousands of US companies (and thousands of companies based in the European Union) legitimized their data transfers from the EU to the US. All the background, including links to a recording of our “emergency” Privacy webinar on the issue, can be found here, here, and here.
Two more dominos outside the European Union have toppled.
Switzerland: The Swiss Federal Data Protection and Information Commissioner (FDPIC) today announced that until a new agreement can be reached, the US-Swiss Safe Harbor is no longer valid, following the same rationale as the CJEU in the Schrems case. Advice from the FDPIC in a press release is that companies should take steps to put model clauses in place when transferring data to the US. The press release also advised that companies should take those measures by the end of January 2016. (Note: The FDPIC press release has only been published in German, French and Italian)
Israel: The Israeli Law, Information and Technology Authority (ILITA) has revoked its prior authorization for data transfers from Israel to the US that are based on Safe Harbor. Israel’s privacy law (the Israel Privacy Protection Regulations of 2001) is Euro-centric: it prohibits the transfer of data from a database in Israel to a location outside its borders unless the law of the data importer’s country ensures a level of protection that is equal to or greater than Israeli law. Like the EU DPD, the Israel law contains several “derogations,” including one that authorizes the transfer of personal data from Israel to a country to which the EU permits data transfers. Based on the CJEU decision in the Schrems case, the ILITA announced that companies can no longer rely on this derogation as a basis for transfer.
The ILITA advises that it continues to assess the Schrems decision and will publish additional information and other clarifications “if necessary”.
Israel’s data protection law received what is called an “adequacy” determination under the EU Data Protection Directive, ensuring that personal data can be transferred from the EU to Israel without reliance on other methods, such as model contractual clauses.
These actions by data protection authorities outside the European Union are yet another imperative for companies to understand their data flows and get a Plan B in place yesterday. Switzerland is a hub of financial activity and life sciences/pharmaceuticals. Israel is a center of technology development, many companies locating US operations in Silicon Valley.
The real question for US companies now is whether other countries such as Argentina, Uruguay, Canada will follow Israel and Switzerland. We continue advise that US companies urgently evaluate their data flows, form a plan for taking remedial measures to supplant Safe Harbor, and start to execute on that plan.