Data Transfers without Safe Harbour: What You Need to Know

The invalidation of the Safe Harbour agreement in October last year has thrust the legality of international data flows into question. Digital businesses have been discussing the impact of such a decision on the industry, especially on smaller companies and startups, and urged the EU and U.S. negotiators to reach a new agreement as soon as possible.

Despite the recently agreed upon EU-U.S Privacy Shield, businesses still have some time before it takes effect and have to think about alternative measures to ensure the legality of their data transfers. Even though Safe Harbour is effectively terminated and Privacy Shield is not yet enforced, companies can still turn to alternative measures that are legally sound and outlined by the European Commission, in order to continue collecting, transferring and storing transatlantic data.


Download the Policy Briefing: "Data Transfers without Safe Harbour: What You Need to Know" 


While We Wait on Privacy Shield - Data Transfer Exceptions

In principle, companies cannot transfer data to countries that the EU deems are inadequately protecting personal and sensitive data. However, the current EU Data Protection Directive provides a list of four specific derogations (exceptions) that allow businesses to transfer data to foreign countries, even if they do not guarantee high data protection standards, like those applied in Europe.

According to the rules:

  • It is possible to transfer data outside the EU when the user gives their unambiguous prior consent. For example, apps would have to let users know what data they were collecting and also get the user's consent each and every time they collected data.
  • Data transfers can still take place if they are necessary for software to work in accordance with a contract between the developer and the user (e.g. financial transactions)This usually happens when making hotel reservations, or when payment information is transferred to a third country for a bank transfer[BB1]
  • Data transfers can also take place when it is necessary for the conclusion of a contract between an app developer and the third party, and only when the transfer is made in the user’s interest; for example, when a travel agent forwards the details of a flight booking to an airline.
  • Finally, In case of on-going legal claims, you can transfer data when it is necessary for the judicial procedure. For example, when a company needs to transfer data to defend itself against a legal claim, or to make a claim in court or before a public authority.

If you’re still not sure…

These can be very tricky to understand and, for legal reference, take a look at Art. 26. For further information, check out these FAQs and the guidance issued and best practices collected by the Data Protection Authorities here. If you have any doubts, seek legal help; this stuff is important to get right!

Contract Clauses to Protect Data Transfers

If your company is headquartered in the EU and you need to transfer data to other companies based in the U.S., you can adopt these particular contractual clauses that set the terms for legal and valid transfers.

Since understanding these clauses can be a daunting task, the European Commission, in an attempt to simplify the affair, pre-approved and published them on its website. The Commission sets out four sets of ‘clauses’, which can ensure legal data transfers. Two sets of clauses are related to transfers between controllers (any company that includes data processing in its business model) based in the EU and in the U.S. The other two sets of clauses relate to transfers between a controller based in the EU and a processor (any company that processes the data on behalf of the data controller) based in the U.S.

Within these model clauses are many obligations that data exporters and importers must abide by, including:

  •  Adopting and using the definitions used by the EU relating to data privacy.
  • Ensuring compliance with security measures without weakening any agreed security measures.
  • Ensuring informed consent from the person whose data is being gathered, any time that data processing is involved.
  • Notifying the relevant EU data protection authority in the event that American law blocks you.
  • Providing, upon request by any user, a copy of the clauses and a summary description of the data protection measures in the agreement.

These are valid in all Members States, and National Data Protection Authorities, in principle, are not required to accept them or pre-authorise transfers for them to be valid. Nonetheless, it is worth double-checking, as some pre-authorisation methods are still in place.

All of the above can be very stringent and complicated to comply with, so be sure to read them thoroughly and ensure the obligations do not conflict with existing company policies or contracts. If in doubt, do not hesitate to seek legal advice.

Third Party Cloud Service Exceptions

Lastly, if you outsource data storage or cloud services, you might already work with some of the biggest companies offering these services.

The good news is that they have made themselves available to execute Model Clauses with all of their customers, regardless of their dimensions or size, so if you work with or use one of these companies, you may be able to legally transfer data through them.

For example, Google has added a Contract Clause to its administrative interface for Google for Work and for Google Apps, Microsoft also executes Model Clauses that were approved by the EU last year, and has provided a pre-signed data processing agreement that you can execute and store at your organisation. Amazon is also willing to execute Model Clauses. These can save time and money that would be spent understanding and complying with complex SCCs or derogations. Here is the information on how to execute an agreement as well as a pre-signed agreement.


As Privacy Shield enters the final stretch of consideration, businesses should know that without one of the above alternative data transfer mechanisms, they could run into legal trouble.  Privacy Shield has been accepted by the College of Commissioners and submitted to Data Protection Authorities for assessment, comment, and final approval, which is likely to come sometime in April. Until then, be sure to employ an alternative mechanism and seek legal advice when necessary.

If you have any questions regarding any of the above data transferring alternatives, please feel free to reach out to us. You can email us at: Policy@AppAlliance.org