The Clock is ticking for EU and US to Negotiate New Safe Harbor Deal: What You Can Do to Stay Out of Legal Limbo

John Rostern, VP, Technology Advisory and Assessment Services

European authorities have given the European Union and US officials three months to come up with an alternative to the Safe Harbor agreement after the European Court of Justice (ECJ) declared Safe Harbor laws invalid earlier this month.  The new agreement must protect the personal data of European citizens from ‘massive and indiscriminate surveillance conducted by the U.S. government’, the authorities said.  These actions were ruled incompatible with EU law in an Oct. 6 decision by the ECJ.

The decision by Europe’s highest court has left companies of all sizes that move personal data between the EU and the U.S in legal limbo. Traditionally, these companies do not have appropriate model contract clauses in place or binding corporate rules, and rely on Safe Harbor to meet international data transfer guidelines.

A Working Party assembled in the wake of the ECJ ruling has now issued a joint statement indicating that alternative measures such as model contract clauses and binding corporate rules can be applied to adequately meet EU laws. This statement affects more than 4,000 companies that had been allowed to transfer customer and employee data between the EU and the U.S. under the Safe Harbor program.  While such mechanisms may be complex and time consuming to implement, the working party members consider those arrangements to still be valid while they complete their analysis of the European court decision.

New Agreement on the Horizon: But Will It Happen Fast Enough?

With the January deadline looming, European Union and U.S. intelligence officials now must reach a better agreement to sufficiently protect European citizens from U.S. intelligence surveillance. The new agreement must include obligations on the necessary oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms and on data protection rights.

If no new agreement is reached by the end of January, the working party will consider coordinated legal actions against U.S. companies. It remains to be seen if U.S. intelligence agencies and their European counterparts can coordinate negotiations to reach a final conclusion set in time to meet the working party’s deadline.

Practical Solutions to Protect Your Business

A complete ISO 27001 certification meets requirements for audit to demonstrate the effectiveness of controls over personal data. It also demonstrates efficacy of those controls overs the processes and data described by the Council.  An ISO 27001 audit may also provide an organization with a lower-level of effort to achieve a threshold of proof regarding controls over personal data being transferred outside of the EU.  The process for achieving ISO certification is straightforward and can be done in a timely fashion.

Organizations may achieve cost savings by utilizing a centrally managed ISO 27001 certified information security management systems that can form the core of various compliance efforts, including PCI, HIPAA, Sarbanes-Oxley and more.

Register for Our Webinar to Learn What Options You Have to Protect Your Business

Coalfire will be conducting a webinar on ISO 27001 on Oct. 27 to discuss more about the process and why ISO certifications might make sense for an organization.

Continued monitoring of developments related to Safe Harbor will be required. We believe it is always best to maintain information security best practices, and in doing so, stay one step ahead of government regulations, while reducing the likelihood of complicated and expensive international legal action, or worse, data breaches.

John Rostern


John Rostern — VP, Technology Advisory and Assessment Services

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS