Pantheon EU-Safe Harbor Framework

On October 6, 2015, the European Court of Justice ruled that the EU-US Safe Harbor Framework does not provide a valid legal basis for transfers of personal data from Europe to the U.S. This decision goes into effect at the end of January 2016.

Since 2000, the Safe Harbor framework has enabled US companies, including Pantheon, to legally handle personal data from customers in the EU. Nearly 5,000 US companies rely on Safe Harbor, and October’s ruling affects us all.

Though we are based in the US, Pantheon serves many EU-based customers, and has certified compliance with the privacy and security requirements of the Safe Harbor mechanism for a number of years. This is the basis for the transfer of personal data from the EU to the US in connection with our customers’ use of our website management platform. Pantheon will continue to comply with those privacy and security processes and practices.

Since the ECJ’s ruling in October, the UK Information Commissioner’s Office (ICO) issued a response that it will be working with its “counterpart data protection authorities in the other EU member states and issuing further guidance for businesses on the options open to them” for transfer of personal data to the US. Similar statements have been released by the European Commission to provide further guidance to ensure a coordinated European approach.

It is widely expected in the industry that the work of the European Commission and/or UK ICO will soon provide guidance on complying with EU privacy standards and legally handling customer data in a post-Safe Harbor world. Because of Pantheon’s existing robust privacy and security processes and practices, we are well positioned to rapidly put in place a new data transfer framework to replace Safe Harbor.

Such a data transfer framework may include incorporating an additional data processing addendum based on the European Commission’s Standard Contractual Clauses (Processors) into Pantheon’s Terms of Subscription Service. Pantheon makes its privacy policy available here, along with an overview of our security program here.

In the event that our existing data transfer mechanisms prove insufficient for our customers, and customers require EU Model Clauses or data processing agreements in addition to these safeguards, we are more than happy to continue assisting our customers with these requests.

Topics Security

Let’s get in touch