Charting our Course in Response to the ECJ’s Safe Harbor Ruling

By Suk Kim

The European Court of Justice (ECJ) ruled yesterday that the transfer of personal data from European Union member countries to the U.S. under the Safe Harbor mechanism is invalid.

As a service provider to many EU-based companies, Urban Airship has certified compliance with the privacy and security requirements of the Safe Harbor mechanism as the basis for the transfer of personal data from the EU to the US in connection with our customers’ use of our SaaS platform. While the ECJ has ruled that the Safe Harbor mechanism is an invalid legal basis for the transfer of data, the privacy and security processes and practices that Urban Airship has implemented for the protection of customer data under this mechanism still remain. Urban Airship will continue to comply with those privacy and security processes and practices.

Since the ECJ’s ruling, the UK Information Commissioner’s Office (ICO) issued a response that it will be working with its “counterpart data protection authorities in the other EU member states and issuing further guidance for businesses on the options open to them” for transfer of personal data to the US. Similar statements have been released by the European Commission to provide further guidance to ensure a coordinated European approach.

Based on Urban Airship’s existing robust privacy and security processes and practices, we are well prepared to rapidly put into place a valid data transfer framework to replace Safe Harbor processes and practices, once the European Commission or the UK ICO provide further guidance in the coming weeks. Such data transfer frameworks may include incorporating additional data processing addendum based on the European Commission’s Standard Contractual Clauses (Processors) into Urban Airship’s Terms of Subscription Service. Urban Airship makes its privacy policy available here, along with an overview of our security program here.