ECJ rules Safe Harbour personal data transfers invalid
The Safe Harbour agreement made in 2000 between the European Commission (the “EC”) and the US allowed for the transfer of personal data from the EU to the US. Since its introduction companies in the EU have relied on it to legitimise such transfers.
Why was it needed?
Under the EU Data Protection Directive the transferring of personal data to third countries from the EU is not allowed unless those countries ensure an ‘adequate’ level of protection for that data.
In 2000 the EC established a system whereby US-based companies could self-certify that they would follow the principles known as the ‘Safe Harbour’ framework. To ensure that US companies would adhere to it, the Federal Trade Commission was tasked with enforcing the framework and this was deemed by the EC, as providing an ‘adequate’ level of protection for personal data being transferred to the US.
Why is it in the news?
Following Edward Snowden’s revelation that the US had been conducting mass surveillance of personal data, Max Schrems, an Austrian law student, complained to the Irish Data Protection Commissioner asking him to stop Facebook from transferring his personal data to the US. When the Commissioner rejected his complaint, basing his decision on the EC’s creation of Safe Harbour, Max Schrems fought the decision, which culminated in it being referred to the European Court of Justice (the “ECJ”).
On Tuesday (6th October) the ECJ ruled that the Decision issued by the EC in creating the Safe Harbour was invalid.
It noted that Safe Harbour only applied to self certifying US companies and not to the US public authorities and, furthermore, US national security, public interest, and law enforcement requirements could override the framework. As such the ECJ did not think that Safe Harbour provided an ‘adequate’ level of protection for personal data transferred to the US.
Following the European Court of Justice ruling, firms are no longer allowed to transfer data from the EU to the US solely on the basis that they are members of the Safe Harbour scheme. Instead they will have to seek specific contractual authorisation to export data.
What do I need to do?
It is important to bear in mind that the Safe Harbour is not the only basis on which transfers of personal data to the US can be made. Many transfers already take place based on different provisions. You need to check if you use US-based cloud services to store or process data and on what basis that data is transferred and stored.
If the transfer and storage of personal data is reliant on the Safe Harbour agreement then you will need to find other ways to ensure that you comply with the Directive.
In the UK the Information Commissioner’s Office has said it will give businesses time to come up with new solutions and will be issuing further guidance for businesses on the options open to them in the coming weeks.