The Court of Justice of the EU ruled on 6 October 2015 that the US Safe Harbor scheme is invalid.
While this outcome is not entirely unexpected, it is a highly significant development for companies involved in the transfer of personal data from the EU to the US, and also for US based service providers providing data services or SaaS solutions to EU based clients. The judgment means that businesses that have relied on Safe Harbor will need to review how they ensure that data sent to the US is transferred in line with the law.
The eighth data protection principle of UK Data Protection Act – reflecting the EU Data Protection Directive – says that personal data shall not be transferred to a country outside the European Economic Area (EEA) unless that country ensures an “adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.
You can transfer personal data overseas if you have the individual’s consent. However, this is not a great solution as consent even if given may later be withdrawn and true consent is hard to obtain. In particular, consent will not be valid if the individual – such as an employee of a UK subsidiary being asked to agree that his or her information may be held by the US parent company – has no choice but to give their consent.
Data transfers can be made to any country in respect of which the European Commission has made a ‘positive finding of adequacy’. While countries such as Canada, New Zealand, Israel and Switzerland are on this list, the US is not.
If the transfer is to the US, and the US recipient of the data has signed up to the US Department of Commerce Safe Harbor Scheme under which the transferee undertakes to comply with certain data protection principles, then – until now – this has been recognised as providing “adequate protection”. Over 5,400 US companies are on the Safe Harbor list.
How did this case arise?
An Austrian citizen called Maximillian Schrems was a Facebook user. As for other EU Facebook users, Mr Schrems’ Facebook data was transferred from Facebook’s Irish subsidiary to servers located in the US.
Mr Schrems filed a complaint with the Irish data protection regulator that, in the light of the Edward Snowden revelations in 2013 concerning the mass surveillance monitoring activities of the US intelligence services, and the fact that US intelligence can access personal data of EU individuals, the US does not offer an adequate level of protection against access by US authorities to personal data transferred to the US. Accordingly, Mr Schrems sought an order that Facebook should not transfer his data to the US.
While the Irish authority initially rejected the complaint because Facebook is registered under Safe Harbor, the issue was referred to the Irish High Court and then to the European Court of Justice.
So, what should we do?
The Safe Harbor Scheme is not the only basis on which transfers of personal data to the US can be made. Adequate safeguards can be put in place in a number of ways including:
- using approved Model Contract Clauses – intended for one-to-one bilateral transfers from a data controller in the EEA to a data controller or a data processor outside the EEA;
- adopting Binding Corporate Rules – intended for multinational organisations transferring information outside the EEA but within their group.
Businesses that have up to now relied on Safe Harbor will need to review the legal basis for future transfers and may need to implement some alternative solution. There is unlikely to be a quick fix, but specific actions may include:
- Auditing data transfers and assessing legal risk.
- Considering alternative data transfer architectures where possible; for example, using service providers who retain data within the EEA, or other approved countries.
- Implementing Model Contracts with any counterparties, such as group companies or cloud service providers.
- For intra-group transfers, adopting Binding Corporate Rules within the group.
- Reviewing if and where data subject consents are being obtained.
- Checking contractual arrangements in case the loss of the Safe Harbor is a breach of data processing obligations, and if so assess what action to take.
The decision creates uncertainty as to how matters will develop in relation to trans-Atlantic data transfers. It also raises the possibility that other data transfer arrangements (such as the standard clauses for controller-controller or controller-processor data transfers) could also be open to challenge and invalidated.
The UK Information Commissioner recognises that it will take them some time for companies to respond. As such, there is unlikely to be any immediate regulatory action taken in respect of companies that have hitherto relied on Safe Harbor and may now, strictly speaking, be in breach of the eighth data protection principle.
Concerns about the Safe Harbor have been expressed for a while. Indeed, negotiations have been taking place for some time between the European Commission and US authorities with a view to introducing a new, more privacy protective arrangement to replace the existing Safe Harbor agreement – sometimes referred to as Safe Harbor 2.0. While these negotiations are well advanced, it is not known if and when they will come to a conclusion.
Meanwhile, further guidance from the EU and UK Regulators is to be expected within the coming days/weeks.
Please contact us for assistance with reviewing your options or in respect of data protection compliance generally.