Today the EU threw a huge wrench into one of the ways that personal data goes back and forth between EU countries and the U.S., as reported in Mintz Levin’s Privacy and Security Matters Blog. Companies that currently rely on the U.S.-EU Safe Harbor Program - as many in the health care industry do - need to think carefully and quickly about a back-up plan for these data transfers.
The relevant EU privacy protections apply to more than just PHI covered by HIPAA, and include protections for basic personal information typically found in employee and business records. The EU has questioned the adequacy of legal privacy protections offered by the U.S, and, since 2000, many companies have relied on the Safe Harbor certification to demonstrate compliance with EU standards. But earlier today a European Court of Justice Advocate General issued an opinion calling the Safe Harbor Program into question, resulting in a very high risk that it will be invalidated by the ECJ.
Because it may be just a matter of time until the EU invalidates the Safe Harbor Program, companies relying on the Safe Harbor for data transfer need a back-up plan. Pharmaceutical companies, research entities, data transfer companies, and anyone doing business in or sending and receiving personal data from the EU could be affected.
Read more about the Safe Harbor Program and contingency considerations on our Privacy and Security Matters Blog.