October 8, 2015

Earlier this week (6 October 2015) the Court of Justice of the European Union (the CJEU) declared the Safe Harbour scheme for transfer of personal data from the EU to the US invalid with immediate effect.

This judgment, which follows a referral from the Irish courts, means that organisations will find themselves in breach of data protection legislation and will therefore need to take steps to bring themselves into compliance.

By way of background, EU data protection legislation does not permit the transfer of personal data outside of the EEA unless the recipient country can ensure that the personal data will receive an “adequate” level of protection. One such determination of “adequacy” may arise where the Commission decides that a country has sufficient data protection laws in place to protect the rights of data subjects – such as Canada and Switzerland. The US, however, does not have a system of data protection legislation which readily lends itself to the Commission simply declaring it to be “adequate”. As a consequence, a unique decision was made at the start of the century to permit the transfer of personal data to the US, pursuant to the so-called Safe Harbour regime (Commission Decision 2000/520).

Unlike previous findings of adequacy, Safe Harbour related to companies receiving personal data from the EU rather than a territory as a whole. Guidance on how to provide adequate protection for personal data from the EU was drafted by the US Department of Commerce in conjunction with the European Commission and eligible companies could self-certify that their practices were in line with this guidance. As at the date of the CJEU’s judgment thousands of companies were operating under the Safe Harbour regime and many European companies and organisations had transferred personal data to such companies – transfers which may now be unlawful following the judgment.

The CJEU’s judgment in Case C‑362/14, Schrems v Data Protection Commissioner, highlighted a number of issues with Safe Harbour and ultimately took the view that Safe Harbour was not providing “adequate” privacy and data protection rights to data subjects. This inadequacy stemmed from a number of reasons, including the fact that US public authorities are able to access personal data, the non-compliance of companies with the Safe Harbour guidance, and compliance with US legislation taking precedent over the Safe Harbour guidance. The CJEU was therefore left with no option but to declare Safe Harbour invalid.

As a result of this judgment it is now vital that organisations who have been relying on Safe Harbour consider alternative solutions to ensure that current practices remain lawful. Whilst all global businesses will be affected by this, organisations particularly at risk are those that:

• use cloud-based services providers from the US; and
• transfer personal data to a US group entity, such as a parent company.

Any business which falls into one of the categories above should immediately investigate whether or not it: (a) is relying on Safe Harbour; and (b) has alternative measures in place to permit it to transfer personal data to the US.

The good news is that there are a range of alternative measures which can be implemented to ensure that the transfer of personal data to the US is lawful. These range from Model Contract Clauses (an EU approved agreement in place between the transferor and the transferee), to Binding Corporate Rules which can allow for personal data to be far more easily transferred intra-group throughout the world. Consent of the data subject may also be relied on, but we note that this must be actively received and must be capable of being withdrawn – for these reasons it is not advisable to rely on consent for transferring personal data outside of the EEA.

In terms of enforcement, any unlawful transfer of personal data to the US will be a breach of data protection legislation and could result in action being taken by the ICO (or applicable national data protection authority), which of course would bring with it negative publicity. It should be noted, however, that national data protection authorities will likely take a sensible stance before pursuing enforcement action. Additionally, the ICO has commented that further guidance for businesses on transferring personal data to the US is being drawn up.

In summary, Safe Harbour is gone. A new regime may be implemented – talks have been ongoing between the EU and the US for over a year on this issue – but for now companies should consider if the invalidation of Safe Harbour affects them and what measures can be put in place to prevent unlawful transferring of personal data to the US. It is not a time to panic; it is a time to be proactive.

If you would like to discuss how this CJEU judgment may affect your company please contact Ted Shapiro, Caroline Kean or Patrick Rennie from our Data Protection Department.

Useful links:

ICO Guidance on non-EEA transfers of personal data

Database of Safe Harbour certified organisations

Working Party 29 Press Release following CJEU Schrems judgment