Ann Bevitt and Matthew Johnson of Cooley LLP write:
Last week Europe’s highest court, the Court of Justice of the European Union (CJEU) declared invalid a “Safe Harbor” framework whereby personal data could be easily transferred between many European countries and the US.
Many US schools and universities have relied on the Safe Harbor framework as the basis of the legality for transferring students’ personal data from the European Economic Area (EEA, i.e. the Member States of the European Union (EU) plus Iceland, Liechtenstein and Norway) to the US. What should institutions that have relied on Safe Harbor be doing now in light of the CJEU’s decision?
As a first step institutions (and third parties acting on their behalf) that are recruiting in the EU should review their data processing and storing activities. (What data is being processed and where?) The key determination is whether personally identifiable data is being transferred from the EEA to the US.
Read more on JDSupra.