On 06 October 2015, the European Court of Justice (ECJ) ruled that the Safe Harbour agreement, which allows data to be transferred between the EU and US, was invalid as it did not provide adequate protection for European citizens.
The ruling comes as a result of a long-running dispute between an Austrian law student, Max Schrems,
and Facebook. Although Facebook’s business is established in Ireland, it stores and processes most of its customer data in the US.
Facebook along with around 4,400 other companies makes use of the 15-year Safe Harbour agreement between the European Commission and the US. This allows US companies to transfer data on European citizens across the Atlantic, if they agree to meet certain conditions, which include notifying customers when their data is collected and used.
Following disclosures by whistleblower Edward Snowden in 2013 that US spy agencies have access to huge quantities of personal data via various technology and telecoms companies, Schrems lodged a complaint with the Irish Data Protection Commissioner. He argued that the regulator had failed to protect him from mass surveillance from the US National Security Agency. The Irish Data Protection Commissioner claimed that it could not suspend data transfers by Facebook to the US, as it was part of the Safe Harbour agreement.
The High Court of Ireland referred the case to the ECJ, which found in Schrems’ favour. In a press statement the ECJ said:
“The Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and to decide whether transfer of the data of Facebook’s European subscribers to the US should be suspended on the grounds that that country does not afford an adequate level of protection of personal data.”
But what are the implications of the ECJ ruling on businesses? According to Andrew Evans, partner at law firm Gateley plc, “Businesses in the European Economic Area (EEA), regardless of size, are no longer able to rely on the Safe Harbour rules for personal data transfer and storage to the US. Many EU businesses, who use US companies for data storage and other forms of processing, or US companies operating in Europe and transferring data to the US, will now be breaching EU data protection laws.”
The implications are significant, widespread and do not depend on business size. However, Evans advises firms not to panic.
“The ruling has left many businesses trading in the EEA exposed. But for precisely this reason, the risk of enforcement by local data protection regulators is unlikely in the short-term. The UK Information Commissioner’s Office (ICO), for example, has said that it will issue guidance over the coming weeks. Once this has been issued, there will be time for businesses to put their houses in order. The ICO is unlikely to impose any civil fines on UK businesses merely as a result of the ECJ decision — not at least until they have been given adequate time to action the decision and any new guidance.
Secondly, I would advise businesses to identify if Safe Harbour was being used as a means to achieve data protection compliance. And if so, to examine the best options to address the position.
The path of least resistance is likely to be to adopt the EC model data protection clauses in a contract with relevant US companies. These are a set of clauses published by the European Commission, which a US company can sign up to with each EU business to provide adequate data protection, if Safe Harbour was not being used. In light of the publicity around this decision, I anticipate that most US companies will be ready for and expecting these requests. To obtain the full protection of the model clauses, though, they should be adopted in the published form without any changes.
Alternatively, US companies may institute binding corporate rules regarding data protection and register these with the European Commission on a company by company basis, although this can be time-consuming and protracted.
EU businesses may also look at providing the same service within the EEA; anonymising the data so it is no longer meets the definition of “personal data”; applying one of the derogations for data transfer outside the EEA (e.g. the data subject has given unambiguous consent to the transfer or it is necessary for the performance of the contract with the data subject), or changing its data processing and storage arrangements.”
Politically, the EU and US have been discussing revisions to the Safe Harbour scheme since 2013. “This case will increase pressure on the EU and US to find a solution, and also potentially increase the EU’s negotiating position, particularly with the EU General Data Protection Regulation going through trilogue. However, given the speed at which the wheels have turned so far, any solution is likely to be some way off,” concludes Evans.
The post European Court of Justice declares Safe Harbour invalid – what are the implications? appeared first on Payments Cards & Mobile.