Data Protection Update
The European Court of Justice ("ECJ") ruled that US Safe Harbour provisions are invalid with immediate effect.
The decision is not unexpected and reflects unresolved political tensions between the US and the EU regarding the use of personal data following the revelations of mass surveillance of EU citizens arising from Edward Snowden's whistleblowing actions in 2013. The decision also reflects the findings of EU Advocate General Bot who has previously said that the US Safe Harbour scheme is unlikely to ensure an adequate level of protection for personal data.
However, surprisingly, the decision does not give "grace" period in which those relying on the US Safe Harbour provisions can put alternative arrangements in place; the Safe Harbour provisions are immediately invalid and any corporation relying upon them now risks being in breach of EU and UK data protection laws.
The US Safe Harbour scheme has been in place since 2000. It is extremely popular with companies with transatlantic operations and allows the transfer personal data from the EU to corporations in the US in a way which does not fall foul of the EU Personal Data Directive 95/46/EC. That directive prohibits the transfer of personal data outside of the EU to countries which do not ensure that the processing of personal data meets the same standards as it would in the EU. Whilst there are other methods of transferring personal data from the EU to the US in ways that are compliant, in practice many EU-US businesses relied on the US Safe Harbour scheme. One of the key attractions to Safe Harbour was its straight forward self-certification regime.
The case relates to an Austrian privacy campaigner (Max Schrems) who complained to the Irish Information Commissioner regarding the transfer of his personal data by Facebook Ireland (a subsidiary of Facebook Inc) to the US where that personal data undergoes processing. The complaints relate directly to the potential surveillance of Mr Schrems' personal data arising from Edward Snowden's leak. When the Irish Information Commissioner determined that Mr Schrems' complaints were unfounded and decided to take no further action, Mr Schrems took the matter to Irish High Court which in turn referred the matter to the ECJ.
In reviewing the case and the US Safe Harbour decision, the ECJ determined that:
- there are many US corporations which are signed up to the Safe Harbour scheme which are almost certainly not compliant as the same corporations are or were also involved in the US PRISM programme (the subject of Edward Snowden's leak);
- the US Safe Harbour framework could not reasonably be relied upon as ensuring that EU citizens' personal data were afforded an adequate level of protection; and
as a result, the Safe Harbour scheme is now invalid.
- The outcome of this case is of extreme importance to businesses which transfer personal data from the EU to the US. Those businesses will need to review their personal data processes to ensure that personal data is transferred in light of the law as it now stands without the previous protection of the US Safe Harbour ruling.
In the meantime the EU Commission has said that it will prepare clear guidance on actions that business affected by the ruling should take. There remains hope that the US and EU authorities will reach agreement on new terms for a transatlantic scheme which improves upon Safe Harbour. The UK Information Commissioner's Office published a press release in which it said: "Concerns about the Safe Harbor are not new. That is why negotiations have been taking place for some time between the European Commission and US authorities with a view to introducing a new, more privacy protective arrangement to replace the existing Safe Harbor agreement. We understand that these negotiations are well advanced."
For more information, contact Matthew Holman.