Safe Harbor: New Guidance Reaffirms Use of Alternative Tools for Lawful Data Transfer

European Commission’s latest guidance on the Schrems (Safe Harbor) ruling reaffirms the use of alternative tools for lawful data transfers to countries outside Europe, including to the U.S.


Here are some details on these “alternative tools.”


  • Standard Contractual Clauses (“SSCs”): The European Commission has currently approved three sets of SCCs (See here). Unlike Safe Harbor, which only applied to EU-US transfer, the SCCs can be used in contracts involving transfer of personal data from the EU to any jurisdiction. The SCCs apply to both intra-company and external transfer. Incorporating the SCCs in a contract means that national Data Protection Authorities (DPA) are in principle obliged to accept those clauses. However, this only holds true if the SCCs are used verbatim. While it is possible to modify the SCCs to cater to specific company needs, these must be approved by relevant EU member state DPAs.
  • Binding Corporate Rules (“BCRs”): These are a set of binding rules or code of conduct which a company can draft and implement internally to legitimize cross-border data transfers within its corporate group. However, for most EU states, data transfers on the basis of BCRs have to be authorized by the DPAs in each state. BCRs typically have a lengthy and tedious approval process. 
  • Derogations: It is also possible to transfer Personal data using one of the derogations set out in Article 26 (1) of Directive 95/46/EC. These include cases like (i) the data subject has unambiguously consented to the proposed transfer; (ii) transfer is necessary for the performance of a contract between the two parties. It is important to note that derogations should not be used for mass or repeated transfers of data.

 The European Commission guidance also asserts that:

  • the original data collection and processing must have been lawful in the first place; and
  • the controllers remain responsible for ensuring there is adequate protection of personal data when using alternative tools.

The latest guidance gives some respite to US companies struggling to mitigate the impact of the Safe Harbor ruling. However, it is advisable to leverage this opportunity and audit your data protection measures. Here’s a checklist:

  • Review the statutory/regulatory climate(s) affecting your organization.
  • Classify information into general categories:
    • Personally identifiable/non-personally identifiable
    • Sensitive/non-sensitive
    • Highly-sensitive
    • Information subject to specific statutory/regulatory requirements
    • Medical information
    • Financial information
  • Map data flows. Ask the below to determine and determine the level of privacy-related exposure:
    • How information is being received, utilized, managed, and passed on by your organization.
    • What information is moving intra-departmentally or intra-personally within your organization?
    • What information is moving from your organization to third parties?
    • What information is your organization receiving from third parties?
    • What relevant information is moving across state/national boundaries?
    • Who can collect information? Are their varying rights of access?
    • How and where is the information stored?
    • How long is the information retained?
    • What information is automatically logged and/or not explicitly consented to by the user?
    • What choices are available to the user regarding control of collection, use and distribution of personal information?
    • Are your employees aware of what does and does not constitutes a compliance risk in handling cross-border data?

The list is not exhaustive and provides guidance not advice. Please contact us below or call +1-408-913-9130 to speak to our experts for your global expansion needs or questions.