The European Court of Justice (ECJ) has invalidated the European Commission’s decision that the EU-US Safe Harbor scheme provides adequate protection for the transfer of personal data of European citizens to the US. In this concise briefing note, Carolyn Bertin explains the impact the ruling will have on businesses.
This ruling follows a claim brought in Ireland by an Austrian privacy advocate, Max Schrems, against Facebook alleging that his privacy had been violated by the NSA's mass surveillance programmes. (The fact that European data stored by US companies was not safe from surveillance that would be illegal in Europe was first revealed by the whistleblower, Edward Snowden.) Schrems brought the case in Ireland because Facebook’s European headquarters are in Dublin. Like most US companies Facebook transfers personal data about its employees, customers and users to servers in the US where it is stored and processed and transferred onwards to back-up and support centres in other parts of the world. Up to 4,500 US companies (not only tech companies) rely on Safe Harbour to legitimately transfer personal data in this way.
What the ECJ’s ruling says in short is that the Commission’s decision that Safe Harbor is an adequate means of protection of personal data being processed in the US cannot usurp the powers of national data protection authorities to determine otherwise. Therefore, Ireland’s High Court is now required to examine Mr Schrems’s complaint to decide whether transfer of the data of Facebook’s European subscribers to the US should be suspended on the ground that the US does not afford an adequate level of protection of personal data.
The effect of this is that US companies with European customers could now face scrutiny from individual European countries' data regulators challenging the validity of transfer of personal data of European citizens to the US under Safe Harbor. Such companies could be subject to multiple regulatory environments enforced by individual European country regulators which could force companies such as Facebook to host the personal data of European citizens in the country of citizenship, rather than hosting it in the US.
US companies relying on Safe Harbor, and European companies engaging with US suppliers relying on Safe Harbor, need to explore other options for the legitimate transfer of personal data of European citizens to the US or ensure that European citizens’ personal data is kept in Europe.
One obvious alternative is getting the consent of the European citizens whose data is to be transferred to the US. However, to be valid, this consent must be explicit and freely given. European affiliates of US companies that have tried to legitimise transfer of employee data by obtaining consent through a term in employment contracts, and companies that have buried a consent clause in on-line terms, have faced challenges on the grounds that consent obtained in this way is not explicit nor freely given.
Another alternative is Binding Corporate Rules for intra-group data transfers around the world. This is not a quick solution as it requires organisations to implement a code of conduct in consultation with the data protection authorities for protecting personal data in accordance with European Union (EU) data protection laws when transferring it to companies in the same group located outside of the European Economic Area (EAA).
The most popular alternative is likely to be use of European Union Model Clauses (Model Clauses), a standard agreement which has been endorsed by the European Commission, and which can be slotted into contracts involving transfer of personal data. However as the Model Clauses have been approved by the European Commission it is possible that similar challenges could be brought against the adequacy of Model Clauses for protecting personal data when transferred outside of the EEA.
Certainly all organisations involved in the transfer of European citizens’ data, or relying on the services of companies that transfer personal data of their European employees, customers or users, to the US under Safe Harbour, need to urgently review their practices and implement an alternative legitimate means of transfer and processing and ensure that data processing terms in relevant supplier contracts are renegotiated.
For more information on how we can help you determine which alternatives are available to you or in renegotiating data-processing obligations with your suppliers, please contact:
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article.