Following the ECJ’s historic invalidation of the EU-US “Safe Harbor” system for European Data Protection Directive (EU-DPD), the European Commission in the past week released a communication which provides high-level comprehensive guidance of the alternatives to Safe Harbor for EU-US spanning organizations.
For those that have been watching this sector, there are no real surprises in the document; the Commission broadly outlines the alternatives as:
- Standard Contractual Clauses (SCCs)
- Binding Corporate Rules (BCRs)
- derogations under the DPD
In brief: SCCs are pre-approved specific contractual clauses between every pair of entities (even subsidiaries of the same company) that will be exporting data from the EU to a non-EU resident entity; BCRs are binding corporate policy which is adheres between a parent company and its subsidiary entities; and derogations are essentially exceptions to the DPD (narrowly-construed, of course).
This looks simple enough, but the questions of which approach to take (there are many pros and cons), complications of implementing any of the above, and resources involved can proliferate quickly (which is of course why Safe Harbor was established in the first place).
Organizations looking for assistance navigating this post-Safe Harbor compliance landscape should not hesitate to contact us.