The Clock is ticking for EU and US to Negotiate New Safe Harbor Deal: What You Can Do to Stay Out of Legal Limbo

October 22, 2015, John Rostern, VP, Technology Advisory and Assessment Services

European authorities have given the European Union and US officials three months to come up with an alternative to the Safe Harbor agreement after the European Court of Justice (ECJ) declared Safe Harbor laws invalid earlier this month.  The new agreement must protect the personal data of European citizens from ‘massive and indiscriminate surveillance conducted by the U.S. government’, the authorities said.  These actions were ruled incompatible with EU law in an Oct. 6 decision by the ECJ.

The decision by Europe’s highest court has left companies of all sizes that move personal data between the EU and the U.S in legal limbo. Traditionally, these companies do not have appropriate model contract clauses in place or binding corporate rules, and rely on Safe Harbor to meet international data transfer guidelines.

A Working Party assembled in the wake of the ECJ ruling has now issued a joint statement indicating that alternative measures such as model contract clauses and binding corporate rules can be applied to adequately meet EU laws. This statement affects more than 4,000 companies that had been allowed to transfer customer and employee data between the EU and the U.S. under the Safe Harbor program.  While such mechanisms may be complex and time consuming to implement, the working party members consider those arrangements to still be valid while they complete their analysis of the European court decision.

New Agreement on the Horizon: But Will It Happen Fast Enough?

With the January deadline looming, European Union and U.S. intelligence officials now must reach a better agreement to sufficiently protect European citizens from U.S. intelligence surveillance. The new agreement must include obligations on the necessary oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms and on data protection rights.

If no new agreement is reached by the end of January, the working party will consider coordinated legal actions against U.S. companies. It remains to be seen if U.S. intelligence agencies and their European counterparts can coordinate negotiations to reach a final conclusion set in time to meet the working party’s deadline.

Practical Solutions to Protect Your Business

A complete ISO 27001 certification meets requirements for audit to demonstrate the effectiveness of controls over personal data. It also demonstrates efficacy of those controls overs the processes and data described by the Council.  An ISO 27001 audit may also provide an organization with a lower-level of effort to achieve a threshold of proof regarding controls over personal data being transferred outside of the EU.  The process for achieving ISO certification is straightforward and can be done in a timely fashion.

Organizations may achieve cost savings by utilizing a centrally managed ISO 27001 certified information security management systems that can form the core of various compliance efforts, including PCI, HIPAA, Sarbanes-Oxley and more.

Register for Our Webinar to Learn What Options You Have to Protect Your Business

Coalfire will be conducting a webinar on ISO 27001 on Oct. 27 to discuss more about the process and why ISO certifications might make sense for an organization.

Continued monitoring of developments related to Safe Harbor will be required. We believe it is always best to maintain information security best practices, and in doing so, stay one step ahead of government regulations, while reducing the likelihood of complicated and expensive international legal action, or worse, data breaches.

John Rostern


John Rostern — VP, Technology Advisory and Assessment Services

Recent Posts

Post Topics