g-docweb-display Portlet

Data Transfers to the USA: the "Safe Harbor" Authorisation is Invalid

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF



Data Transfers to the USA: the "Safe Harbor" Authorisation is Invalid
Companies to rely on other tools to protect Italian citizens´ data


The Italian Data Protection Authority (Garante) ruled that the authorisation it had issued years ago to enable data transfers to the USA on the basis of the so-called "Safe Harbor" Agreement is invalid. Accordingly, companies, multinationals and other organisations will have to rely on other tools under the data protection law to transfer data across the Atlantic.

The Garante adopted this decision – to be published shortly in Italy´s Official Journal – following the recent judgment whereby the CJEU declared the "Safe Harbor" regime to be invalid, which did away, in turn, with the legal basis for transferring personal data from the EU to the USA via this regime. The decision by the Italian DPA is in line with the stance taken jointly by the Article 29 Working Party (including representatives from all EU DPAs) in the past month.

Until specific decisions are taken at European level, companies may thus lawfully transfer Italian citizens´ data to the USA with the help of other tools such as – for instance – Standard Contractual Clauses or the so-called Binding Corporate Rules (which may be relied upon to regulate data flows within a corporate group).

The DPA reserved the right to carry out controls in order to establish whether data transfers are being carried out lawfully by data exporters.


Rome, 6 November 2015