No Safe Harbour

The ECJ has ruled that organisations cannot rely on the “safe harbour” framework to demonstrate adequate protection for personal data transferred from the EEA to the US. 

Speedread

Organisations that transfer personal data between Europe and the US will have to rethink their strategy following an ECJ ruling that they can no longer rely on the “safe harbour” framework to readily transfer personal data between jurisdictions. They will now need to find alternative ways of complying with their data protection obligations by making use of exemptions or perhaps considering the use of binding corporate rules to authorise intra-company transfers. 

Background

Under data protection laws, there is a general prohibition on the transfer of personal data outside of the European Economic Area (EEA), unless the recipient country offers adequate protection for the rights and freedoms of data subjects in relation to the processing of their personal data. 

In 2000, the European Commission decided that the set of data protection principles contained in the US “safe harbour” framework ensures an adequate level of protection. Organisations that signed up to the framework have long relied on this when transferring their employees’ and customers’ personal data to US-headquartered parent companies and service providers.

Facts

In Schrems v Data Protection Commissioner, following revelations that US intelligence agencies have been conducting mass surveillance of personal data processed in the US, Austrian citizen, Max Schrems, became concerned about the transfer of his personal data by Facebook’s European subsidiary, Facebook Ireland Ltd, to its US parent company, Facebook Inc. under the "safe harbour" framework. 

He complained to the Irish Data Protection Commissioner (the DPC) and asked that Facebook be prevented from transferring his personal data to the US. The DPC rejected the complaint on the basis that the European Commission had already decided that the "safe harbour" framework provides adequate protection. There then followed High Court proceedings in Ireland, which culminated in a reference being made to the ECJ.

Decision

The ECJ held that it was not enough to rely on the Commission’s decision that the framework provides adequate protection. Each Members State’s data protection authorities have to be able to determine whether the transfer of personal data to a country outside the EEA complies with the EU Data Protection Directive. The ECJ noted that the "safe harbour" principles have limited application as they do not apply to US public authorities, only to US companies that sign up to them. It was also noted that the principles are subject to US national security, public interest and law enforcement requirements and, as a consequence, did not ensure an adequate level of protection for personal data transferred to the US.

Implications

Negotiations between the US and the EU had been underway to establish an updated "safe harbour" framework. The ECJ judgment is likely to provide increased focus on the parties to conclude those negotiations as swiftly as possible. 

Companies that until now have been relying on the “safe harbour” framework to transfer data to the US will need to find alternative ways of complying with their data protection obligations. There are exemptions which might be relied on, including where the data subject’s consent to the transfer has been obtained or where the transfer is necessary to protect the vital interests of the data subject. 

Binding corporate rules (BCRs) are also becoming an increasingly popular way of authorising intra-company transfers (but not transfers outside the group), particularly where multinational companies have no wish to obtain permissions from a variety of different data protection authorities in each of the EEA jurisdictions in which they operate. Applicants must demonstrate to a lead data protection authority that their BCRs put in place adequate safeguards for protecting personal data throughout the organisation. 

For many organisations, however, it may be a case of having to modify their data transfer activity in the short term and “watching this space” for developments. The Information Commissioner recognises that it will take companies some time to adjust their procedures in line with the judgment.  He has indicated that he will be considering the judgment in detail and issuing further guidance for businesses on the options open to them over the coming weeks. 

If you would need any assistance with reviewing employee consents, advice on whether exemptions apply or need any other advice in this area, please contact Piers Leigh-Pollitt.