Transferring personal data to the USA: is there no longer a “safe harbor”?

Key message
Due to a recent decision by the European Court of Justice (“ECJ”), businesses will now need to review the way they transfer any personal data to the USA and consider whether they need to take further action in order to ensure that they comply with EU data privacy laws.

What is the background to the law on this?
When businesses transfer personal data outside the EEA they must ensure that the data has “adequate” protection in order to comply with EU privacy laws. Some countries have been approved by the European Commission as providing that adequate level of protection and so businesses do not need to take further action.

The USA was not one of those countries, but since a European Commission decision in 2000 a company receiving the personal data in the USA could agree to comply with certain principles known as “safe harbor”. These principles meant the personal data would be given protection broadly equivalent to those required under EU privacy laws and so were generally considered to be “adequate”.  For many businesses this was their chosen method of ensuring that they were in compliance with EU privacy laws when transferring personal data to the USA.

What has changed?
On 6 October 2015, the ECJ issued a judgment in a matter widely referred to as “the Schrems case” (Case C-362/14 Maximillian Schrems v Data Protection Commissioner).  This judgment essentially stated that the “safe harbor” framework could now not be relied upon.

Instead of relying on the European Commission’s decision in 2000 which paved the way for the “safe harbor” arrangements, each EU country’s national data protection authority should decide whether transfers of personal data to the USA comply with requirements for adequate protection. This includes cases where the recipients of the personal data in the USA have signed up to the “safe harbor” principles. In light of recent revelations about what level of protection is actually offered by those complying with “safe harbor” principles it seems that it is not after all sufficient to be deemed “adequate” under EU data privacy laws.

Why are many of the news reports mentioning Facebook and Edward Snowden?
The “recent revelations” we refer to above are primarily those that came about as part of the information disclosed by Edward Snowden. This indicated the extent to which personal data was made available by companies including Facebook (but far from limited to just Facebook) to US intelligence agencies through various surveillance programs. This revealed that the personal data was not receiving protection equivalent to that it would receive under EU privacy laws and so the level of protection would not be “adequate”.

The Schrems case was then brought specifically to challenge the legality of the decision of the Irish data protection authority not to investigate transfers of personal data to the USA made by Facebook Ireland under the “safe harbor” framework.  The Irish courts referred questions to the ECJ, including as to whether its national data protection authority should be bound by the European Commission’s decision in 2000 regarding “safe harbor”. As mentioned above, it is not to be bound by that decision and should instead itself review whether transfers of personal data to the USA comply with EU privacy laws.

What does this all mean for businesses?
If the business transfers personal data to the USA and had been relying on the recipient having signed up to “safe harbor” principles then it will need to review whether you can ensure those transfers comply with EU privacy laws going forwards.

In the absence of being able to rely on “safe harbor” there are other options available, ranging from gaining the consent of data subjects to signing up to specific contract clauses or rules for intra-group transfers to in some cases even being able to make your own determination of “adequate” protection. That said, some of these options themselves may come under further scrutiny as they also do not provide the necessary protection from surveillance by US intelligence agencies. It is also this issue which is one of the causes of the delays in EU/US negotiations for a new “safe harbor” framework.  Unfortunately, it is therefore likely that businesses will need to regularly review this area for the foreseeable future to ensure that they continue to comply with EU privacy laws.

Carolyn Burbridge

Bulletins are for general guidance only. Legal advice should be sought before taking action in relation to specific matters. Where reference is made to Court decisions facts referred to are those reported as found by the Court. Please note that past bulletins included in the Archive have not been updated by any subsequent changes in statute or case law.