Skip to main content

Trouble Brewing for International Data Transfers Under U.S.-EU Safe Harbor

Today the EU threw a huge wrench into one of the ways that personal data goes back and forth between EU countries and the U.S., as reported in Mintz Levin’s Privacy and Security Matters Blog. Companies that currently rely on the U.S.-EU Safe Harbor Program - as  many in the health care industry do - need to think carefully and quickly about a back-up plan for these data transfers.

The relevant EU privacy protections apply to more than just PHI covered by HIPAA, and include protections for basic personal information typically found in employee and business records. The EU has questioned the adequacy of legal privacy protections offered by the U.S, and, since 2000, many companies have relied on the Safe Harbor certification to demonstrate compliance with EU standards. But earlier today a European Court of Justice Advocate General issued an opinion calling the Safe Harbor Program into question, resulting in a very high risk that it will be invalidated by the ECJ.

Because it may be just a matter of time until the EU invalidates the Safe Harbor Program, companies relying on the Safe Harbor for data transfer need a back-up plan. Pharmaceutical companies, research entities, data transfer companies, and anyone doing business in or sending and receiving personal data from the EU could be affected.

Read more about the Safe Harbor Program and contingency considerations on our Privacy and Security Matters Blog.

 

 

Subscribe To Viewpoints

Authors

Rachel Irving Pitts is an Associate at Mintz. Her practice involves transactional and regulatory matters, including mergers and acquisitions, regulatory compliance review, telemedicine issues, and provider and service contracting matters. Rachel's clients include health care providers and payors.
Dianne J. Bourque advises health care clients on licensure, regulatory, contractual, risk management, and patient care matters for Mintz. Dianne counsels researchers and research sponsors on FDA and OHRP regulations. She also counsels clients on data privacy issues, including HIPAA standards.