Back to Insights

Safe Harbor declared invalid? – part 2/2

October 9, 2015 at 10:30

In the previous blog post, we presented the EU Court of Justice’s decision that declared the Safe Harbor agreement. The decision means that the personal data of Europeans, in light of the current situation, can no longer be transferred to the USA under the Safe Harbor agreement. Finland’s Data Protection Ombudsman has not yet released recommendations related to the decision, but at the moment personal data can’t be transferred to the USA without a bilateral agreement on the handling of personal data (model clauses).

Many companies transfer personal data of Europeans to the USA daily as a part of their operative business activity, for example, by using cloud services. How are companies to act in this situation?

  1. List all personal data registers administered by your company and any services provided by a third party where personal data is stored.
  2. Find out from your agreements, privacy policies and desciption of file if any personal data is being transferred under the Safe Harbor agreement:
    a.    from within your corporation in the EU to the USA;
    b.    to third parties in the USA; or
    c.    whether the handling of personal data has been outsourced
    to a provider whose data center is located in the USA.
  3. If personal data is being transferred under the Safe Harbor agreement, contact your provider to agree on further action, so that the legitimacy of data transfers can be ensured with model clauses. Binding Corporate Rules can be applied to intra-corporate transfers of personal data. 
    It also makes sense to find out whether your provider is capable of storing its users’ personal data in Europe and providing this service from a European data center.
  4. Update your privacy policies and desciptions of file.
  5. Release an announcement to your customers, partners and staff.


Many big-name operators have already published announcements on the subject of including model clauses in their contract terms. The EU Commission and US authorities are also negotiating the terms of a new Safe Harbor agreement. A recommended source for keeping up with the situation and finding out about new guidelines is, for example, the website of Finland’s Data Protection Ombudsman.