Not So Safe Harbor

Posted on Oct 6, 2015
By: Alex Hamilton

The European Court of Justice has today issued a ruling stating that the Safe Harbor approach to exporting data to the United States from the European Economic Area is invalid. Many EU companies rely on the Safe Harbor to export personal data from the European Economic Area to US companies, often in the context of cloud services.

We recommend that companies identify any instances of relying on the Safe Harbor in exporting data to the US, and consider putting in place the model clauses to allow the continued export of personal data.

As part of identifying where the Safe Harbor is being relied upon, you can find a complete list of the US companies that are part of the Safe Harbor here.

The Information Commissioner's Office has issued a statement, which helpfully recognises that reviews will take time:

“The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do this."

We recommend that the review and any necessary mitigating steps are taken as soon as possible, to minimise legal exposure.

Please contact Andrew Giverin at if you would like any assistance in reviewing agreements with suppliers and identifying remedial strategies or otherwise discussing the implications of this ruling.

Radiant Law regularly supports large scale contract review and remediation projects on a fixed price basis, using technology and processes to speed up delivery.