FAQs regarding Invalidity of the EU-US Safe Harbor Agreement
As a processor of personal data NGA Human Resources closely monitors all privacy and compliance regulations and will continue to keep clients informed about important changes, such as this recent ruling by the European Court of Justice and any subsequent related developments.
In light of the European Court of Justice’s decision this week regarding the invalidity of the EU-US Safe Harbor Framework, NGA has prepared this FAQ document to address questions around the transfer of EU personal data to the USA.
What is the EU-US Safe Harbor Agreement?
According to the EU Data Protection Directive (Directive 95/46/EC), EU citizens’ personal data can only be transferred to a list of non-European Union countries that have been recognized by the European Commission as having an “adequate level of protection for the data”.
As the U.S. is not currently part of this approved list, the European Commission (EC) and the U.S. Department of Commerce developed a Safe Harbor Agreement that allowed U.S. companies that are certified under the Safe Harbor framework to meet the “adequacy” standard for privacy protection, and import data from the European Economic Area (EEA).
More information about Safe Harbor can be found here: http://www.export.gov/safeharbor
What was ruled by the European Court on Oct 6?
On October 6, the European Court of Justice declared the EU-US Safe Harbor Framework invalid, impacting the pact used by companies to transfer Europeans’ personal information to the U.S.
In summary, the European Court of Justice ruled that national regulators in the EU can override the 15-year-old Safe Harbor agreement and decide at the local level whether the transfer of personal data between their country and the USA meets the applicable EU and national data protection requirements.
The complete verdict of the European Court of Justice can be consulted here: http://www.politico.eu/wp-content/uploads/2015/10/schrems-judgment.pdf
Is NGA Safe Harbor certified?
Yes. NGA Human Resources’ U.S entity, NorthgateArinso, Inc., has self-certified to the Safe Harbor framework since October 12, 2011. NorthgateArinso, Inc. complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. NorthgateArinso, Inc. has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view NorthgateArinso’s certification, please visit http://www.export.gov/safeharbor.
What happens now that the European Court of Justice decided that the Safe Harbor is invalid, and a new framework is not in place?
The EU-US Safe Harbor agreement is not the only framework approved by the European Commission that allows US companies to transfer personal data from the EU. US corporations can also meet the “adequacy requirement” established by the European Commission by signing an appropriate Data Protection Agreement or “DTA”.
DTAs are contracts between the relevant entities which contain the model clauses that have been issued and approved by the European Commission for transfer of personal data from the EEA to a third country.
NGA has an intercompany DTA based on the EU model clauses between all NGA companies, and many of NGA’s customers have signed a DTA which covers the transfer of their relevant EU personal data to the US (as well as in some cases to certain other countries not approved by the EU for data transfer). For these customers, the ECJ’s decision on Safe Harbour should raise little if any concerns.
NGA customers that have employees in the EU whose personal data may be transferred to the USA as part of the services the customers receive from NGA, and which have not have already signed a DTA covering these transfers, are strongly encouraged to sign a DTA based on the model clauses. Please contact your local Account Management representative to request a DTA or amendment.