Last week, the Court of Justice of the European Union (CJEU) gave an important data privacy ruling, which any business transferring personal data between the EU and US should know about – particularly those that have made use of the “Safe Harbor” scheme for data transfer, which the CJEU has now ruled to be invalid.
All multinational companies are constantly transferring data relating to identified or identifiable human beings (data subjects). Data is moved between different parts of the same business and to and from suppliers, customers and other third parties. When such data moves between countries, the laws of multiple countries may become relevant, potentially including a multinational business within their jurisdiction when that multinational acts as a data controller determining the purposes, conditions and means of processing involved. This also renders the business vulnerable to potential penalties for breaches of the law. One way to manage the ongoing problems of moving data across the world is to introduce Binding Corporate Rules (BCRs) to govern global data transfer.