A recent case before the Court of Justice of the European Union (“CJEU”) has thrown serious doubt on the validity of the US “Safe Harbor” scheme. Safe Harbor is used by many companies including Google, Facebook (about which this case was brought) and Amazon and it currently allows personal data to be transferred, in compliance with EU data protection rules, from the EEA to the US.
In order to comply with EU data protection rules, personal data should only be transferred outside of the EEA if the recipient of that data has “adequate” procedures in place to protect that data. There are a number of countries listed that have been found to have adequate procedures but the US is not one of them.
The EU Commission decided in 2000 that companies that undertake to comply with the “Safe Harbor” principles provide “adequate” protection for personal data they receive from the EEA (the “Safe Harbour Decision”). Many US companies took this relatively simple step in order to be able to receive personal data from the EEA.
The Safe Harbor scheme is regulated by the Federal Trade Commission in the US but until recently such oversight has been quite light. The Edward Snowden leaks (Snowden released large amounts of information regarding the US government’s electronic spying and data collection programmes) have shown that US authorities could access such data apparently freely despite the Safe Harbor rules.
An Austrian citizen, Max Schrems, objected to Facebook (Ireland) transferring his personal data to Facebook (US). He made a complaint to the Data Protection Commissioner in Ireland (the “DPC”) to prevent such transfers. The DPC decided that the Safe Harbor Decision could not be overruled. Mr Schrems sought judicial review and the case eventually made its way to the CJEU on the question of rights under the EU Charter of Fundimental Rights versus the Safe Harbor Decision.
Attorney General’s Opinion
The opinion of the Attorney General is not binding on the CJEU but it is used by them to assist in making up their mind. The AG has said that data protection authorities should be able to investigate whether “adequate” safeguards are in place and should not be bound by a decision of the EU Commission such as the Safe Harbour Decision.
Further, given the revelations regarding the PRISM programme in the US the AG’s view is that the EU Commission should have suspended the Safe Harbor Decision and that it should now be declared invalid.
We are yet to receive this decision but it is rumoured that the CJEU will deliver its judgment on Tuesday 6 October 2015. Given that this would swiftly follow the Attorney General’s Opinion there is speculation that the CJEU are likely to simply ‘rubber stamp’ the AG’s opinion meaning that all transfers of personal data from the EEA to the US which rely solely on the Safe Harbor scheme would likely be in breach of EU data protection law.
What to do if Safe Harbor is struck down
If you rely on Safe Harbor to transfer EEA personal data to, or receive such data in the US, then you will need to review your procedures. As part of this review you should consider the following:
- New Safe Harbor – the EU Commission and the US Department of Commerce are in negotiations over a new form of Safe Harbor scheme but this is highly unlikely to be in force before the CJEU hands down its judgment.
- Binding Corporate Rules – these are for use to cover transfers between companies in a large corporate group. They comprise a set of legally enforceable rules prepared by the group for the processing of personal data and have to be approved by relevant data protection authorities. Even if they are approved by one EEA data protection authority that does not necessarily mean that they will be approved by all other relevant EEA data protection authorities and it can therefore be a very long winded process to get your binding corporate rules approved.
- Consent – the data subject can consent to the transfer of his/her data outside of the EEA however there are likely to be situations where it is simply too difficult to obtain consent and/or that consent may not be reliably obtained (e.g. employees who may feel they need to consent or put their job at risk).
- Model Clauses – this leaves contracts based on the EU approved model clauses to be used in agreements between parties to a transfer of personal data outside of the EEA. In order to ensure that there is “adequate” protection for the data the clauses should not be amended however it is possible to add certain commercial clauses (e.g. liability clauses) as long as such other clauses do not override the model clauses. It may prove to be a relatively lengthy process to get all of the agreements signed by all of the parties involved in such data transfers but this is likely to be the safest and quickest route to compliance if Safe Harbor is struck down.
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a limited liability partnership registered in England and Wales (No. OC326366) and is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office: 2 Stone Buildings, Lincoln's Inn, London WC2A 3TH. "Partner" denotes a member of the LLP or an employee or consultant with the equivalent standing. Our privacy notice which we are obliged to give you under the GDPR is available here.