In early October, 4,200 companies that have been certified under the U.S. Safe Harbor Framework as having developed processes and procedures to protect the private information of EU citizens were told that their certifications were invalid. Privacy experts have been scrambling to give them advice on next steps, which include utilization of model contractual clauses relating to individual data transfers, or implementation of binding corporate rules requiring the approval of an EU Data Protection Authority, which can take up to a year to accomplish. Whether these actions will also be considered invalid along with the Safe Harbor framework is not clear. However, since both allow for an individual’s ability to question a company’s compliance with the EU privacy directive, it is more likely that they would be considered adequate.