Alternatives to Safe Harbor for the transfer of data between the EU and the US

In light of the recent decision in C-362/14 (Maximilian Schrems v. Data Protection Commissioner), European Data Protection Agencies may suspend data transfers under Safe Harbor. Multinational companies might start to get worried. But are there other instrument to transfer data between the EU and the US?

Yes! According to WP29, there are at least two other options to allow international data transfers to continue, which entail the implementation of:

– Model Contract Clauses; or

– Binding Corporate Rules.

See here.


1. Model Contract Clauses. These clauses have been pre-approved by all Member States, and do not require further approval by local DPAs. The Council and the European Parliament have given the Commission the power to decide, on the basis of Article 26 (4) of Directive 95/46/EC that certain standard contractual clauses offer sufficient safeguards as required by Article 26 (2), that is, “they provide adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights”.

Please note that there is the possibility to include standard data protection clauses in a wider contract and to add other clauses to a data transfer agreement as long as they do not prejudice fundamental rights of data subjects.

So far, the Commission issued two sets of standard contractual clauses for transfers from data controllers to data controllers established outside the EU/EEA and one set for the transfer to processors established outside the EU/EEA.

(EU-)controller to (Non-EU/EEA-) controller

– Decision 2004/915/EC

– Decision 2001/497/EC

(EU-)controller to (Non-EU/EEA-) processor

– Decision 2010/87/EU

More information on Model Contract Clauses is available at…


2. Binding Corporate Rules (“BCR”). BCR function as a multinational data protection “code of conduct”. In the EU they require approval by the pertinent DPA. BCR are internal rules – adopted by multinational groups of companies – which define their global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which “do not provide an adequate level of protection” within the meaning of article 26 (2) of Directive 95/46/EC.

BCR must contain in particular:

– privacy principles (transparency, data quality, security, etc.);

– tools of effectiveness (audit, training, complaint handling system, etc.);

– be binding.

An overview on Binding Corporate rules is available at…

More material on Binding Corporate Rules is available at…



More information on the debate concerning Safe Harbor validity is available at…

For more information, Francesca Giannoni-Crystal


Follow us on& Like us on