The judgement will have direct consequences for companies who transfer personal data from the EU to the US. “There are a number of measures that needs to be taken to reduce the risk of personal data being transferred unlawfully,” says Martin Gynnerstedt, one of Cederquist's experts on IT law.
The European Court ruling means that it is no longer possible to assume that a transfer of personal data from the US, which takes place with the support of Safe Harbor (see below), is lawful.
“This means that transfers which occur in existing contract relationships with US external partners and also internal transfers to US groups may be in breach of European and Swedish personal data legislation,” says Martin Gynnerstedt.
He thinks that companies should consider alternative approaches in order to ensure that a transfer of personal data is lawful.
“There are certain initial measures which organisations might consider taking,” says Martin.
Companies and organisations can take the following initial measures:
1. Carry out a risk inventory
Do an inventory of which of your personal data transfers that are affected by the European Court ruling in order to see how the organisation is affected by the decision, and also to assess which risk the transfer in question may involve, and in which order of priority the transfers should then be dealt with.
2. Go through the identified transfers
External partners – Go through the identified partners and analyse whether the transfer to external partners can take place with the support of one of the exceptions in the personal data regulations (e.g. by using the European Commission's standard clauses).
Internally within a group – analyse which alternatives to Safe Harbor that are available, and which of them that are suitable for internal group transfers.
3. Review the internal policies and contract templates
Secure your procedures for lawful transfers of personal data and ensure that the organisation subsequently consistently applies this working method when entering into agreements etc.
What is Safe Harbor?
According to a Commission ruling in 2000, transfers to the US and US companies which have joined “Safe Harbor” are considered to be consistent with European personal data regulation requirements to possess, in the country of receipt, an adequate level of protection and therefore also consistent with the Swedish Personal Data Act. The Safe Harbor system comprises a number of requirements concerning the protection of personal data, which US companies can freely join and it is very common for transfers to take place with the support of Safe Harbor.