The European Union's General Data Protection Regulation (GDPR) comes into effect on May 25, 2018. GDPR introduces new obligations for any organization that handles data about EU citizens — whether that organization is located in the EU or not. It introduces data breach notification into European law for the first time. And it places stricter responsibilities on organizations to prove they are adequately managing and protecting personal data.
At this time, until GDPR comes into effect, CenturyLink's legally approved language for both Safe Harbor & the GDPR:
When the European Court of Justice issued its decision invalidating the U.S. Safe Harbor Certification Program, CenturyLink retained the administrative, technical, and physical security controls already implemented to protect customer data and support its global compliance programs. At the same time, CenturyLink began reviewing its options for an alternative cross border data compliance framework. CenturyLink has been using the Standard Contractual Clauses (SCC) as a valid legal framework applicable to data transfers, and intends to continue doing so. The SCC's utilize existing security controls and compliance programs, and are better suited for the global nature of CenturyLink's customer base and operations. Customers with EU Data Directive compliance obligations should contact their account team to discuss the use of the Standard Contractual Clauses.