EC Ruling Invalidates Safe Harbor - Now What?

October 19, 2015, John Rostern, VP, Technology Advisory and Assessment Services

In a ruling on October 7, 2015 the European Court of Justice (ECJ) invalidated the principal European component of the U.S.-E.U. Safe Harbor Framework when it ruled in Schrems v. Data Protection Commissioner.  In the ruling the court said that the existing U.S.-EU Safe Harbor agreement, overseen by the U.S. Federal Trade Commission (FTC), is flawed in that it allows the U.S. government access to online information related to citizens of the European Union (EU).   

The intent of the Safe Harbor Framework is to provide a means by which U.S. companies may transfer personal data outside the EU consistent with the EU Data Protection Directive 95/46/EC (DPD) enacted in 1995, (  Under the DPD personal data may only be transferred to countries outside the EU and the EEA when an adequate level of protection is guaranteed, (as was provided under Safe Harbor).  The DPD applies to all countries in the European Economic Area (EEA) plus non-EU members Iceland, Lichtenstein, and Norway.  EU countries have in turn defined their own laws that are aligned with the DPD.  An example of this is the UK Data Protection Act (DPA) which was enacted in 1998.  Details of the U.S.-EU Safe Harbor Framework may be found at  It is important to understand several key terms used in the DPD:

  • Personal Data - any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

  • Processing - any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

  • Data Controller - the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law.

  • Processor - a natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the controller.

  • Third Party - any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data.

  • Recipient - a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients.  

With the invalidation of Safe Harbor, companies that must transfer data out of the EEA must look for alternative ways to satisfy the provisions of the DPD.  Specifically the Deputy Commissioner of the UK Information Commissioners Office (ICO) David Smith noted, in response to the ECJ ruling, that;  “It is important to bear in mind that the Safe Harbor is not the only basis on which transfers of personal data to the US can be made. Many transfers already take place based on different provisions. The ICO has previously published guidance on the full range of options available to businesses to ensure that they are complying with the law related to international transfers.

The ICO has described a number of ways to meet the DPD requirements in the absence of Safe Harbor and the adequacy of the level of protection associated with a particular transfer may be ensured in a number of ways.  The data controller may:  

  • Carry out their own assessment of the adequacy of the protection; 

  • Use model contracts to ensure adequacy; 

  • Obtain Commission approval for a set of Binding Corporate Rules governing intra-group data transfers; or 

  • Rely on one of the exceptions to the prohibitions on transfers of personal data outside the EEA.

Model Contracts and Binding Corporate Rules (BCR); The EC has issued two sets of model contract clauses that may be used to describe the controls over personal data outside of the EEA.  These model clauses define the safeguards to ensure that privacy is maintained in accordance with the EU Data Protection Directive.  However, implementing model contracts can be cumbersome, time consuming and expensive for organizations that support recurring data transfers.  

Binding Corporate Rules provide an alternate mechanism to allow for the transfer of personal data outside of the EEA in multinational companies.  BCR provides the policy governing the transfer of data and the controls over that data when it is outside of the EEA.  The intent is to ensure that all transfers benefit from an ‘adequate’ level of protection.  The DPD notes under Security of Processing (Article 17);  

Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.  Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.

Binding Corporate Rules offer several advantages:

  • Provide for standardization of controls related to the protection of personal data; 

  • Provide an acceptable reduction in risk resulting from data transfers to third countries;

  • Avoid the need for a separate contract covering every single transfer; and

  • Provide external visibility to regulators and business partners regarding the organizations data protection practices.

In order to represent an adequate level of controls over personal data, the BCR must describe the privacy principles (security, transparency, data quality, etc.) that are covered by the BCR as well as how the design and operating effectiveness will be monitored and measured (policies, procedures, audit, etc.).  For example, the UK Information Commissioners Office (ICO) has indicated previously that the ISO 2700x standards provide a viable framework for the protection of personal data.   

While a complete ISO 27001 certification would meet the requirement for audit to demonstrate the existence and effectiveness of controls over personal data, it may also be possible to demonstrate the efficacy of those controls over only the processes and data described in the BCR.  This will provide an organization with a lower level of effort to achieve a threshold of proof regarding controls over that personal data being transferred outside of the EEA.  The process for accomplishing this is relatively straightforward:

  1. Determine the scope of business processes involving the transfer of personal data;

  2. Perform an assessment of risks to that data in accordance with the DPD;

  3. Review existing controls against ISO 27001 to determine the effectiveness of those controls in mitigating the risks described;

  4. Develop and implement additional controls or modify existing controls to address any deficiencies; and

  5. Perform an audit of the final controls environment to document controls effectiveness

The resulting audit report would support the assertions made in the BCR regarding the adequacy of controls over personal data.

The concerns about the effectiveness of Safe Harbor in providing appropriate assurance related to the protection of personal data are not new.  It is expected that the EC and U.S. authorities will continue to work together on this matter.  In the interim, organizations that are engaged in the transfer of personal data outside of the EEA in the normal course of business should pursue alternatives to demonstrate adequate controls.  The adoption of a more robust control framework will show demonstrable protection of personal data, but there will always be grey areas as to what authorized users do with that data when subject to local law enforcement or unintentional use.

John Rostern


John Rostern — VP, Technology Advisory and Assessment Services

Recent Posts

Post Topics