The EU's highest court ruled, on 6th October 2015, that a legal mechanism enabling companies to transfer personal data between the EU and the US is invalid. The Court of Justice of the EU (CJEU) said the “safe harbour” regime does not provide adequate data protection, as required by EU law when personal data is sent outside of the European Economic Area.
It said that there are insufficient restrictions on how the US authorities can use data transferred to the US from the EU and that therefore the safe harbour regime does not respect privacy in the way required under EU law. The fact EU citizens do not have a judicial right to redress in the US if their data is mishandled also counted against the safe harbour regime, according to the ruling
If you're using an integrated online accounting and payroll service then there is a variety of information that is held on servers that the ruling could be applied to - customers, suppliers and, importantly, employees.
As Liberty Accounts servers are held in the UK the ruling does not affect us or our clients but there are thousands of businesses who will have to find alternative ways of transferring personal data between the EU to the US to remain compliant with EU data protection rules.
Whilst a new Safe Harbour replacement is in the pipeline Information Law expert Marc Dautlich of Pinsent Masons argues that “like the safe harbour regime, model clauses have been approved by the European Commission, giving rise to the possibility that similar challenges could be brought against the adequacy of data protection provided for when model clauses are relied on for transferring data to third countries”.
So if you are using any online service which holds any personal data of customers, suppliers, or employees in the US ó and you want to protect your business from any potential liability - you should ensure that your service provider complies with EU data protection regulations.