The EU's invalidation of "Safe Harbor" poses significant risk to US banks.
The future of data transfer from the EU to the US was thrown into chaos on October 6, 2015, when the “Safe Harbor” data transfer framework was struck down in Europe. The Court of Justice of the European Union (CJEU) declared that the framework, designed to facilitate the transfer of personal data from the EU to the US, is invalid because the US does not provide adequate protection for such data.
Safe Harbor is a framework under which US firms may self-certify that they provide adequate data privacy protection as required by EU law. Within the US, the Federal Trade Commission (FTC) has been responsible for administering the framework and auditing self-certifying firms.
Because US financial services (FS) firms are not regulated by the FTC, the framework has not been broadly adopted within the FS sector, so the impact of the CJEU’s action on US FS firms may appear limited at first glance. However, these firms’ third party service providers have likely been relying on Safe Harbor, which poses a significant risk.
This Financial crimes observer (a) analyzes the risks to FS firms resulting from the CJEU’s decision, (b) provides our view of what FS firms should be doing now, and (c) discusses the next steps that we expect regulators and lawmakers to take.