Skip to main content Skip to Footer


Are you at risk of violating, knowingly or unknowingly, EU privacy laws?

Read Accenture's report on how a recent European Union court ruling on privacy rules puts a variety of U.S. based technology companies in legal limbo.


In September 2015, the EU Advocate General (AG) ruled that the current Safe Harbor agreement between the United States and the European Union (EU) does not provide adequate protections for data privacy.

The AG stated that the entire agreement, in place since 2000, is invalid because its personal data protections are not strong enough.

The agreement helped foster US-Europe trade by providing a framework for compliance with personal privacy protection rules.

Most US-based businesses offering cloud services adopted the Safe Harbor provisions in their contracts and presumed that they are in compliance with privacy protection laws.

Now, however, US companies may be at risk if their technology suppliers are not compliant with the tougher standards.

"Most US-based businesses offering cloud services adopted the Safe Harbor provisions and presumed they were in compliance with privacy protection laws. Now, they may be at risk if their technology suppliers are not compliant."

Who Is Impacted?

This development affects any organization that utilizes a supplier of technology services in which data originating in the EU is stored or is transferred to the United States.

According to the Information Technology and Innovation Foundation, more than 3,000 businesses in the United States and the EU rely on the Safe Harbor agreement to protect them from violating EU laws (2).

EU and US regulators are expected to eventually issue new guidelines while a more comprehensive new agreement is negotiated to replace the now-invalid Safe Harbor.

The more near-term concern is that with the Safe Harbor agreement invalidated, privacy regulators could potentially take action against trans-Atlantic data transfers.

What Are the Procurement Implications?

While the United States and EU are negotiating a new framework for data protection, organizations should consider the following actions:

  1. If an organization is actively negotiating agreements with such suppliers, discuss alternatives to Safe Harbor.

  2. Clients with Safe Harbor agreements will need to negotiate new terms and standards with each supplier to help ensure compliance with local laws, and that the organization is protected in the case of violations by the technology provider.

  3. In some extreme cases, re-sourcing a supplier may be warranted if the supplier cannot provide appropriate levels of protection.

"Clients are strongly advised to examine their roster of technology suppliers to understand whether they store or transfer data from the EU to the United States, and review contracts to understand whether Safe Harbor is the data protection compliance standard."

Sources and references

  1. Stewart, Ian A. and Ross, Jeremy L. “Is Safe Harbor Still Safe? U.S. Companies Face Challenges Ahead on the EU Privacy Horizon,” September 29, 2015, The National Law Review. Retrieved from:

  2. Weise, Elizabeth, “Europe’s Top Court Rejects ‘Safe Harbor’ Ruling,” October 6, 2015, USA Today. Retrieved from:

  3. Bodani, Stephanie, “EU-U.S. Data-Sharing Pact Is Invalid, EU’s Top Court Rules,” October 6, 2015, Bloomberg Business. Retrieved from:

  4. Federal Trade Commission: U.S.-EU Safe Harbor Framework. Retrieved from:

Nick Huff

Nick Huff

Mail to Nick Huff. This opens a new window.
Mark Hillman

Mark Hillman

Mail to Mark Hillman. This opens a new window.