Data transfers to the US – you can no longer rely on Safe Harbour!

This Commission Decision, dating back to 2000, determined that the US Safe Harbour scheme provided an adequate level of protection for personal data transferred from the European Union to organisations established in the United States. Organisations in the US can self-certify compliance with the Safe Harbour principles (containing rules on how personal data are protected) for specified types of data processing. They then appear on a Safe Harbour list maintained by the US Department of Commerce – thousands of organisations are currently listed. A lot of EU organisations relied on this Decision to overcome the restrictions¹ on transferring personal data from the EU to group companies, business partners, service providers or other organisations in the US, where the recipient was so listed.

The CJEU ruling means that the Safe Harbour scheme no longer provides certainty there is an adequate level of protection in a data transfer from the EU to a US ‘Safe Harbour’ recipient, and therefore no longer provides certainty that such transfer is lawful under EU data protection laws. This, in turn, means that EU organisations will need to take additional or alternative action to ensure that such data transfers are lawful (see “What should EU and US organisations do now?” below).

Another key aspect of the ruling was that any EU Commission Decision on the adequacy of data transfers does not prevent national authorities from examining claims relating to the protection of personal data relating to that transfer. In other words, whether or not a Commission Decision has been declared invalid, EU Member States may consider the adequacy of the transfer, and may refer matters of validity of Decisions to the CJEU. This makes it even more important for organisations to undertake proper risk assessments before undertaking international data transfers (see “What should EU and US organisations do now?” below).

The main reason behind declaring the Decision invalid was that national security and law enforcement activities in the US prevail over the Safe Harbour scheme, such that public authorities could interfere with fundamental rights of data protection and privacy without restriction; in other words they may access and use data transferred to the US.

The ruling arose in connection with action taken in the High Court in Ireland by Maximillian Schrems following the revelations about NSA surveillance made by Edward Snowden. Mr. Schrems alleged that transfers of customer data by Facebook Ireland to Facebook US under the Safe Harbour framework does not provide sufficient protection for data, as there may be surveillance by US public authorities. The High Court in Ireland referred questions to the CJEU on whether the Decision prevented it from considering whether a transfer provided adequate protection.

It is also worth noting that the Safe Harbour scheme has faced criticism for some time, including with concerns over effective enforcement of the scheme. Therefore, even as a certain mechanism for overcoming the legal restrictions, there were already privacy risks in relying on it alone to ensure adequate data protection.

EU organisations should review their existing arrangements for EU to US data transfers, and undertake a risk and compliance assessment prior to undertaking new data transfers. A privacy impact assessment can be a good way of assessing and addressing the risks of data transfers (as well as other privacy and data protection risks).

As the Safe Harbour scheme no longer guarantees adequacy, organisations should seek to introduce alternative or additional contractual and procedural measures to protect data for both existing and new data transfer arrangements. This may include other pre-approved ways of overcoming the legal restrictions, such as use of the EU Commission’s model contract clauses, the use of binding corporate rules (for intra-group transfers).

US companies should also be considering what other data protection guarantees they are able to provide to facilitate data transfers to them, particularly in relation to potential access to data by public authorities.

Update – 16 October 2015: Some of the big technology providers based in the US are already offering contractual solutions to customers in addition to Safe Harbour.

The short-term and long-term solutions for both EU and US organisations may be different, particularly in consideration of the new EU Data Protection Regulation on the horizon, and potentially a replacement for the Safe Harbour scheme (see “Will there be a new Safe Harbour scheme?” below).

Note that the CJEU did not determine that the Safe Harbour principles are all bad; rather that they no longer guarantee an adequate level of protection. In some EU countries, including the UK, the data protection regulator² considers that organisations can make their own assessment of whether a transfer provides adequate protection. Adherence to the Safe Harbour principles may be a factor in that assessment (although, as noted above, there have for some time been additional concerns about the effectiveness of the scheme).

National data protection regulators may also be able to provide guidance for and approve particular types of transfer or protective measures. The UK Information Commissioner’s Office yesterday issued a statement indicating that it will be considering the judgment in detail, working with counterpart EU data protection authorities and issuing further guidance for businesses on the options.

Update – 16 October 2015: The UK Information Commissioner has advised organisations to “keep calm and carry on”, indicating he will give organisations time for to find alternatives to Safe Harbour before taking enforcement action. On 15 October 2015 he was meeting with EU counterparts in Brussels to discuss a consistent solution across the EU.

Negotiations are underway between the EU and the US (as they have been for some time) in agreeing a new framework for data transfers between the EU and the US. These are happening alongside the EU discussions to finalise the text for the proposed new EU Data Protection Regulation, which is likely to contain similar restrictions on transfers of personal data outside the EU. When these negotiations and discussions have concluded, and additional guidance is issued, organisations will have clearer picture of their options in relation to to EU to US data transfers going forward.

• “Transfers of employee data to the US” published in October 2015 edition of Evans Employment Law Limited newsletter (evansemployment.co.uk)