Gregory P Bufithis
The Project Counsel Group
6 October 2015 - The Court of Justice of the European Union has given its judgment in Case C-362/14
Maximillian Schrems v Data Protection Commissioner. It is a complex case. As The Society for Computers and Law noted this morning "the judgement will require careful analysis".
For the EU Commission response [VIDEO] to the decision
But many corporations were prepared. One of the first out of the box was Salesforce who is attempting to circumvent today's ruling with a Data Processing Addendum (
And Hogan Lovells came out immediately with a suggested plan of action as follows:
- Carry out a data transfers assessment to identify which data transfers from the EU to the US had been legitimized by Safe Harbor.
- Prioritise key transfers for the business by reference to the nature of the data and its use.
- For intra-group transfers, identify all of the entities involved and assess the most suitable alternative to Safe Harbor. In the short term, this is likely to involve an interim contractual solution whilst more permanent mechanisms - such as BCR - are considered.
- For transfers to service providers, review any existing contracts for references to Safe Harbor and determine whether the relevant vendor is offering a suitable contractual option or is able to rely on a Processor BCR.
- US-based service providers should consider the most appropriate legal mechanism toenable customers to continue to use their services lawfully.
Hogan Lovells also has a complimentary webinar tomorrow, Wednesday, October 7th, at 12:00pm (EDT), with Eduardo Ustaran of their London office, Stefan Schuppert of their Munich office, Winston Maxwell of their Paris office, and Bret Cohen of their Washington office who will analyze the implications of the Court decision for companies that rely on Safe Harbor to legitimize their cross-border transfers to the United States, including:
- What is the status of data transfers currently being legitimized by Safe Harbor?
- What alternative options are available for Safe Harbor members to lawfully receive data from Europe?
- What steps must Safe Harbor members take to transition to those other options?
- What are Safe Harbor members required to do with EU data already in the U.S.?
- How to respond to enquiries from EU clients and regulators concerned about the lack of a lawful basis for transfers.
Safe Harbor-What Next?
Date: Wednesday, October 7, 2015
Time: 12:00 pm (EDT) / 17:00 (BST) / 18:00 (CEST)
To RSVP for the Hogan Lovells webinar,
Safe Harbor-What Next?
And for a short PDF reflecting the analysis and practical next steps and suggested Hogan Lovells contacts,