by Breda O'Malley February-19-2016 in Commercial & Business, Data Protection
Breda O'Malley discusses the data protection options for European companies transferring data to the US following the end of the Safe Harbour framework.
What is Safe Harbour?
Under European data protection law, there is a general prohibition on the transfer of personal data outside the EEA, unless the third country in question ensures an adequate level of protection for the personal data.
Safe Harbour was an agreed framework between the US and the EU Commission whereby personal data could be transferred outside Europe to the US, without contravening the above prohibition.
How did this work in practice?
US companies who signed up to Safe Harbour effectively self-certified that they would meet the required levels of protection. This was formerly the most straightforward way for European business who had a base in the US to transfer data outside the EU.
Background
The controversy surrounding Safe Harbour began with the Edward Snowden revelations. Snowdon, a former CIA Systems Analyst, sensationally claimed (among other things) that Facebook and other US companies were being forced to make user data, including EU user data, available to US intelligence and, in particular, to the National Security Agency.
When Austrian law graduate Max Schrems became aware of these claims, he filed a formal complaint against Facebook Ireland with the Irish Data Protection Commissioner (DPC) claiming that the laws and practices of the US offer no real protection against state surveillance. He also asked the DPC to prohibit Facebook Ireland from transferring his personal data to the US. The reason the complaint was filed with the Irish DPC is because the Irish office is responsible for overseeing Facebook and many other tech companies who have European headquarters in Ireland.
When the matter came before the Irish DPC, he ruled that he could not investigate the complaint as his office was bound by safe harbour, which was a product of the European Commission. He stated that, as such, the adequacy of protection under safe harbour was solely a matter for the Commission. (He also referenced the Commission's previous ruling in Decision 2000/500 that safe harbour ensured adequate protection).
Schrems appealed this decision by way of judicial review to the Irish High Court where it came before Mr Justice Hogan. At this juncture, Mr Schrems’ locus standi was hotly contested due to the fact that he could not prove that his data had been accessed by US intelligence. However, he was successfully able to argue that the question was rather whether US intelligence could access his data.
The case was then referred to the CJEU by way of the preliminary reference procedure as the circumstances at hand turned on an issue of European law.
Landmark decision of CJEU
The CJEU ultimately ruled that transatlantic data transfers under the safe harbour arrangement are invalid and do not ensure a level of data protection compatible with the protection of the privacy and the fundamental rights and freedom of individuals in the EU.
The judgment itself can be broken down into the following pillars:
1 Role of national data protection authorities
- The court emphasised the important role of national data protection authorities, which were described as an “essential component” in respect of the rights at hand.
- Power of national authorities – The court held that the Irish DPC was wrong to dismiss Schrems’ complaint and that national authorities are obliged to at least investigate complaints in order to check whether transfers comply.
- Standard of control regarding transfers – If a third country does not ensure adequate protection, the transfers must be prohibited.
2 Validity of Safe Harbour
- The CJEU determined that the Safe Harbour agreement was invalid.
- The court stated that when examining transfers the concept of “adequacy” is important in the context of the laws implemented in the third country and the commitments of that country to ensuring appropriate data protection. The court stated that there is a need to assess whether the applicable laws adequately protect the private lives and freedom of individuals as laid down by EU law. The court also championed the Charter of Fundamental Rights as being key as regards the rights at hand.
The case was thereafter remitted to the High Court in Ireland which then instructed the Irish DPC to fully investigate Schrems’ complaint. A final decision of the Irish DPC is awaited.
Impact of judgment
As a direct result of this decision, the transfer of personal data to the US via Safe Harbour is now prohibited. If businesses continue to do so, they risk being issued with a prohibition notice.
Who is affected?
European organisations who operate in the US market, who have US subsidiaries and/or branches, those who use US-based data processors to manage their data and US companies who have branches/headquarters in the EU. These organisations are now faced with a conflict. Are they obliged to hand over data as the NSA insists? Or are they forbidden to hand over EU citizen data, in light of the CJEU ruling?
Future developments
- EU and US are now under pressure to find an alternative to safe harbour with the aim of facilitating transatlantic data transfers, while respecting fundamental rights of EU citizens to privacy and data protection. In the first week of February 2016, a proposal for a new framework entitled Privacy Shield was announced to replace Safe Harbour with the aim of guaranteeing that EU personal data is given the same protections once it is transferred to the US. However, this framework remains at initial stages only.
- The final version of the new General Data Protection Regulation (GDPR) is expected to be published shortly which will bring significant change to European data protection rules. For now, a compromise text is available on the European’s Parliament website. The text suggests that the regulation may also apply to organisations located outside of the European Union, but who offer goods or services to European data subjects. This would catch technology companies who may currently locate their servers outside of the EU but target European customers. It is envisaged that the regulation, once finalised, will also provide further clarity in respect of international data transfers.
What do companies need to do in the interim?
Companies need to review their existing data transfer processes and related agreements to determine if data is being transferred to US and, if so, whether the transfers are being made pursuant to safe harbour.
Companies should also be aware that there are a number of alternative mechanisms, aside from Safe Harbour, which can be used to facilitate data transfers transatlantically:
- EU approved model contracts or binding corporate rules which allow data transfers within a multinational company. However, it has been suggested that these too could be at risk. This practice is currently being assessed by the Article 29 Working Party and a statement of guidance is expected shortly.
- Examples of other situations whereby personal data can also be transferred outside of the EU without contravening the general prohibition is where the transfer is:
- necessary for reasons of substantial public interest
- necessary for the performance of a contract to which the data subject is a party
- required/authorised by law
- if the free and informed consent of the data subject is obtained.
Therefore, while further developments are awaited, for now it is important that companies look to the alternative mechanisms which exist to facilitate the continued flow of data across the Atlantic.
Back to Full NewsShare this article:
About the Author
Breda O'Malley
Breda is a partner in the Employment Law Team at Hayes solicitors.
Breda advises on the full range employment issues across a broad range of sectors, for established business clients and senior executives.