Personal data protection: the end of Safe Harbor

June 20th 2016

Safe Harbor is a set of personal data protection principles published by the US Department of Commerce to which US companies voluntarily adhere in order to be in a position to legally receive personal data from the European Union.

Those principles negotiated between the US authorities and the European Commission in 2001 were essentially based on those prescribed by the EU Directive 95/46 of October 24, 1995. Safe Harbor allowed a sufficient level of protection for the transfer of personal data from the EU to companies based in the USA.

The Court of Justice of the European Union ruled on October 6, 2015 that Safe Harbor did not provide for adequate legal protection and now requires from the US companies wishing to receive personal data from the EU to enter into specific agreements with their European clients based on the principles issued by the European Union.

Any violation of these EU regulations is subject to a maximum prison sentence of 5 years and a maximum fine of 300,000€. Moreover, the General Data Protection Regulation of May 4, 2016, applicable as of May 2018, will reinforce this fine to a maximum rate of 4% of the worldwide annual turnover of the US infringing company and, as the case may be, of all the group’s companies.

As an example, the French authorities (CNIL) (amongst the more stringent Member States’ authorities in the EU) has formally notified the Californian company Facebook to comply with the current French legislation, undoubtedly in anticipation of the enforcement of this new EU regulation.

Rémi Turcon
Cyril Fabre