Legal Briefs: Safe Harbour No More

Startup specialist firm Beauchamps Solicitors join us to answer startup legal queries.

This month, Dublin TravelTech innovators Indigo require some advice on matters of data:

I have my servers in three locations, in Asia, in the US, and in Europe. I only store my data in Europe. Do I automatically comply with all Safe Harbour requirements?

If personal data is not transferred to the United States, then the Safe Harbour regime would not have applied. Personal data that is stored in Europe must comply with EU data protection law.

What was Safe Harbour?
Safe Harbour was a framework agreed between the United States and the European Commission whereby personal data could (up to the date of the recent judgment of the Court of Justice of the European Union (“CJEU”)) be transferred to the US without contravening EU data protection law.

Safe Harbour is now invalid.
As a result of the CJEU judgement last month, companies can no longer rely on the Safe Harbour framework to legalise the transfer of personal data to the United States. This is because the CJEU has held that the Safe Harbour framework is invalid. This means that businesses who export personal data to the United States must put alternative arrangements in place to legalise the transfer of personal data to the United States.

Your Suggested Action Plan:
Companies that transfer personal data to the United States should immediately review their contracts to check the grounds on which they legalise the transfer of personal data to the US. If they relied on the Safe Harbour framework, they will need to find another way to legitimate the transfer of personal data such as by using EU Model Clauses or Binding Corporate Rules.

Reliance on consent of the person whose personal data is to be/was transferred is not recommended. If these options are not available, the companies might consider (in the short term) moving the personal data back to the EU and using EU based providers who store the data in the EU and do not have affiliates in the US, as an adequate level of data protection is guaranteed throughout the EU courtesy of the Data Protection Directive.

The time to act is now, because if companies fail to do so and they continue to transfer personal data to the US, they run the risk of being the subject of legal action by the data protection authority.

Are you a startup with a legal query? Submit them for future consideration to

NB: While all reasonable care has been taken in the preparation and completion of this article, no responsibility is accepted for any errors or omissions. This article has been prepared for information purposes only and does not constitute legal or other advice.

Privacy Policy
Cookie Policy
Terms of Use