Close X
Attorney Spotlight

How did an interest in healthcare policy lead Robert Platt to a career in the law? Find out more>


Close X


Search our Experience

Experience Spotlight

Envision to Sell to KKR for $9.9 Billion

We represented Envision Healthcare Corporation (NYSE: EVHC) in its definitive agreement to sell to KKR in an all-cash transaction for $9.9 billion, including debt. KKR will pay $46 per Envision share in cash to buy the company, marking a 32 percent premium to the company's volume-weighted average share price from November 1, when Envision announced it was considering its options. The transaction is expected to close the fourth quarter of 2018. Read more

Envision Healthcare

Close X

Thought Leadership

Enter your search terms in the relevant box(es) below to search for specific Thought Leadership.
To see a recent listing of Thought Leadership, click the blue Search button below.

Thought Leadership Spotlight

Six Things to Know Before Buying a Physician Practice spotlight

Dermatology, ophthalmology, radiology, urology…the list goes on. Yet, in any physician practice management transaction, there are six key considerations that apply and, if not carefully managed, can derail a transaction. Download the 6 Things to Know Before Buying a Physician Practice to keep your physician practice management transactions on track.

Click here to download the guide.

Doing Business in Europe and the Invalidation of the EU-U.S. Safe Harbor: Is Your Business Impacted?


October 15, 2015

Last week, the European Court of Justice ("ECJ") issued a decision eliminating the EU-U.S. Safe Harbor Framework ("Safe Harbor") as a mechanism for EU personal data1  transfers to the U.S. Safe Harbor has been the most streamlined, and most widely used, mechanism to shelter EU-U.S. data transfers. The ECJ's decision requires many U.S. and European businesses, which had relied upon the Safe Harbor, to instead implement other means to cover overseas data flows.

In its landmark decision, the ECJ: (1) invalidated the European Commission's 2000 decision that compliance with the Safe Harbor provisions constituted "adequate protection" for data transfers out of the EU; and (2) declared that the data protection regulator ("DPR") of each EU member state has the authority to hear complaints about the level of protection provided by U.S. companies for transferred EU personal data.

The ECJ found the Safe Harbor to be invalid for two key reasons. First, the Court stated that the unfettered access of U.S. law enforcement to personal information of EU citizens ran directly afoul of EU law. The EU generally constricts access to personal information, with a limited exception for law enforcement purposes that are "strictly necessary and proportionate" to protect national security. Second, the Court found that Safe Harbor did not permit legal remedies against U.S. companies by EU citizens seeking to access and correct their personal data, a key tenet of EU data protection law.

As a result of the ECJ's decision, U.S. companies may no longer rely on their Safe Harbor certification alone as authority to transfer personal data. While the U.S. Department of Commerce and the European Commission have been working for several years on a new Safe Harbor framework, prompt agreement on a new framework is anything but certain.2 Until such an agreement is reached and ratified by the European Commission (a process which could require extensive input from the European Parliament and EU Council given the ECJ's criticism of the prior Safe Harbor), companies which had relied solely on their compliance with the Safe Harbor provisions should implement available alternative methods to conform to EU data transfer protection laws. As a matter of best practices, companies should continue to require U.S. partners, subsidiaries and vendors receiving EU personal data to comply with the obligations under the invalidated Safe Harbor, since those data transfers may later be found to comply with the terms of a new Safe Harbor agreement. At a minimum, such actions may help poise companies to comply with any new requirements instituted under a new Safe Harbor agreement.

Is Your Company Impacted?

You are most likely subject to EU-U.S. data transfer regulations and impacted by the ECJ's Safe Harbor decision if you are:

  • a U.S. company with EU offices, subsidiaries, affiliates, commercial partners or vendors, which send "personal data" regarding EU employees or customers3 to the U.S.;
  • a U.S. company using technical infrastructure (including servers) or service providers in Europe that send EU personal data to your U.S. infrastructure;
  • an EU company sending EU personal data to a U.S. office, subsidiary, affiliate, commercial partner or vendor; or
  • an EU company using technical infrastructures (including servers) or service providers located in the U.S.

Alternative Solutions for Impacted Companies

Several DPRs have indicated that they intend to issue guidance on how companies may make compliant data transfers to the U.S. in the wake of the ECJ ruling, and will not take immediate enforcement action against affected companies. A few options other than Safe Harbor compliance are available under EU law to cover data transfers until a new Safe Harbor agreement is reached.

First, companies may include in data transfer agreements standardized data transfer clauses which have been approved by the European Commission4. Among other requirements, these model clauses direct contracting parties to describe the data to be transferred, state the purposes for transfer, and disclose the security measures in place to protect the data. If implemented verbatim, the standard contractual clauses automatically cover EU data transfers to the U.S. However, be aware that these standard contractual clauses provide European citizens whose data is transferred a private right of action against the agreement parties.

Second, a company may adopt binding internal corporate rules concerning data protection and privacy, backed by training and audit programs. If approved by relevant EU member countries' DPRs, adoption of these rules allow multinationals to transmit data anywhere within the group of entities covered by the rules, even to countries that do not offer "adequate" protection (such as the U.S.). This option is time-consuming and expensive because it typically takes approximately 18 months to obtain the approval of the DPR of each EU member country for which the company collects and transfers EU personal data. This option is best reserved for systematic transfers occurring over an extended period (e.g., payroll processing and other human resources transfers).5

Finally, companies may transfer EU personal data to the U.S. with the individual's consent -- which must be explicit, specific, freely given, discretionary and waivable. This option poses a number of obstacles which are readily apparent. For instance, it would be difficult to establish that an employee's consent to the transfer of human resources data was "freely given" since the employee is under the influence of the employer.6 For more information on the requirements for obtaining consent, see Article 29 Working Party Opinion 187.

The ECJ's invalidation of Safe Harbor poses new risks to companies transacting business in the EU or otherwise relying upon transfers of EU data to the U.S. However, until a new Safe Harbor framework is adopted addressing the concerns cited in the ECJ's ruling, employing one of these alternative mechanisms may prove to be the most efficient and effective method of complying with European data protection transfer mandates. Please contact our Data Security & Privacy team with any questions you have about EU/U.S. data transfer developments, including any DPR-issued guidance concerning legally compliant methods for overseas data transfers.

1 Under Safe Harbor, "personal data" is defined by European Commission Directive 95/46/EC. The Directive definition is much broader than typical U.S. classifications, covering data such as IP addresses, information included in cookies, and behavioral information.

2 Some expect a new Safe Harbor framework and agreement to be finalized in early 2016.

3 Under Directive 95/46/EC, the "personal data" must relate to a natural person who can be identified, directly or indirectly, and in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (a 'data subject').

4 However, on October 14, 2015, the DPR for the German state Schleswig-Holstein issued a press release and position paper stating that standard contractual clauses likely are not valid means to transfer data to the U.S., following the ECJ's logic for invalidating Safe Harbor. The Schleswig-Holstein DPR specifically recommends that companies using standard model contracts cancel them with their U.S. partners and do a complete review of data transfers, consulting with the Schleswig-Holstein DPR in each instance. It remains to be seen whether other DPRs will take such a harsh stance. 

5 A new General Data Protection Regulation (GDPP), expected to be finalized in 2016 and take effect in 2018, will replace the Directive. The GDPP is expected to greatly streamline binding corporate rules, making the process much more practical for businesses.

6 "Where consent is required from a worker, and there is a real or potential relevant prejudice that arises from not consenting, the consent is not valid in terms of satisfying either Article 7 or Article 8 as it is not freely given… An area of difficulty is where the giving of consent is a condition of employment. The worker is in theory able to refuse consent but the consequence may be the loss of a job opportunity. In such circumstances consent is not freely given and is therefore not valid." Article 29 Working Party Opinion 48 on the processing of personal data in the employment context.

Related Professionals

Related Services


Visiting, or interacting with, this website does not constitute an attorney-client relationship. Although we are always interested in hearing from visitors to our website, we cannot accept representation on a new matter from either existing clients or new clients until we know that we do not have a conflict of interest that would prevent us from doing so. Therefore, please do not send us any information about any new matter that may involve a potential legal representation until we have confirmed that a conflict of interest does not exist and we have expressly agreed in writing to the representation. Until there is such an agreement, we will not be deemed to have given you any advice, any information you send may not be deemed privileged and confidential, and we may be able to represent adverse parties.