The Safe Harbor framework no longer exists as a viable legal basis for transferring personal data from Europe to the US, that much is clear. However, as of this morning the US Department of Commerce Safe Harbor website and list of participating companies remains accessible, as though nothing has changed. Dual versions of reality, like a painting of an impossible landscape by Rene Magritte?
In any event, for companies that had been participants, the CJEU ruling has raised a number of questions:
1. What can, or should, be done with transferred data received prior to the ruling? Can it continue to be held and processed, or must it be deleted?
2. If such previously-received data can continue to be held and processed, under what conditions may this occur? Would a publicly-stated commitment to continue to apply the former Safe Harbor Privacy Principles and FAQs to the handling of the data suffice? Or a similar commitment to seek data subject consent, or to develop either a model contract or Binding Corporate Rules?
3. Do any of the legal obligations on participants created by virtue of Safe Harbor participation survive the demise of the framework?
4. Can new personal data be lawfully received in the absence of an executed model contract or approved BCRs? Could, or should, previous Safe Harbor participation allow for a grace period for transition to another transfer mechanism?
7. Must the Safe Harbor privacy seal be removed wherever it is displayed?
8. Does the US-Swiss Safe Harbor Framework remain in place as a valid basis for transfers of personal data from Switzerland to the US?
9. What significance, if any, do the commitments from both the Department of Commerce and the European Commission to create what is being called Safe Harbor 2.0 have, given the two years this has been under discussion and the enormity of the gap remaining?
Both the European Commission and the Article 29 Working Party have announced that they are working on an expedited basis to develop guidance that may provide answers to some of these questions. This in turn gives rise to a final question:
10. What risk or liability do participating companies face should they defer changing their data handling policies or practices until regulatory guidance is in hand?