Post by Loreen Jamieson |
Those of you familiar with the Safe Harbor Agreement will be aware that the Court of Justice of the European Union (CJEU) ruled in October 2015 that it’s no longer valid. The questions now are: what does this ruling mean for EU companies who need to continue to transfer personal data to the US; and what is the deadline for enforcement action? I caught up with Emma Butler, Data Protection Officer at LexisNexis UK, for some answers.
What was Safe Harbor?
EU data protection law has a transfer principle stating that personal data cannot be transferred outside the EU, unless there are adequate measures in place to protect the use of this data. There are several ways to achieve adequacy and Safe Harbor was one of them. It was a voluntary framework between the US Department of Commerce and the EU Commission to provide an adequate means of transferring personal data. US companies could sign up to treat EU personal data in line with seven principles, similar to the EU principles, and this allowed them to receive EU personal data in compliance with the transfer principle. Companies self-certified annually and enforcement was ensured by the Federal Trade Commission (FTC).
Why has the new CJEU ruling come about?
The ruling is a result of revelations made on how the US National Security Agency (NSA) was able to access data held by US companies. An Austrian law student complained to the Irish Data Protection Authority (DPA) about Facebook sending his personal data to the US under Safe Harbor, which is ‘not adequate’ due to the ease of NSA access. The DPA concluded that it was not possible for the organisation to investigate, as Safe Harbor was an EU Commission decision of adequacy. The law student therefore took the case to the Irish national court who solicited the CJEU to decide on whether a data protection supervisory authority was bound by the EE Commission's decision that Safe Harbor provided an adequate level of protection for European data.
In its ruling, the CJEU has gone beyond the original query, taking the view that Safe Harbor does not in fact provide an adequate level of data protection. Safe Harbor is unable to prevent large-scale access by the US intelligence authorities to personal data transferred from Europe.
What is the impact of this CJEU ruling?
Safe Harbor is no longer available to businesses as a method of ensuring compliant transfer of personal data from Europe to the US. Interestingly, Switzerland and Israel, who previously recognised Safe Harbor, have also rendered it unsuitable. Companies who need to transfer personal data to the US – remember remote access into data from a third country is also a transfer – now have to find an alternative method to cover the transfer. The EU Commission and US Department of Commerce were already negotiating improvements to Safe Harbor following a Commission report identifying 13 areas for improvement. It remains to be seen if this new version of Safe Harbor will emerge, be acceptable to companies or again be challenged.
How can we continue to share data?
The most common alternative method is the use of Model Contract Clauses between the sending and receiving entities. These are contract clauses that cannot be amended setting out the obligations on each party. They can be added to another business contract or used stand-alone. Companies must complete an appendix setting out the details of the data to be transferred and purpose for each data transfer, and processors must complete an appendix highlighting what security measures exist. Some multinationals have binding corporate rules in place and others may now consider this route. These are a binding code of conduct for data protection, are costly and time consuming and have to be approved by national Data Protection authorities, and so are not suitable for small and medium size enterprises. The law also provides for derogations from the transfer principle i.e. circumstances in which the transfer principle does not apply. Examples of such circumstances are where there is an individual’s consent or where the transfer is necessary for the performance of a contract between the company and the individual. Companies need to assess their data flows to the US to determine if any data transfers were done under Safe Harbor, and then ascertain what the best alternative method is. Examples of alternative methods are derogations or bespoke contract clauses, although approval will vary based on the regulator in question. For instance, the Information Commissioner’ Office (ICO) in the UK will not approve bespoke contract clauses.
When could enforcement action be taken?
In the current global economy where organisations need to work across different continents, the ruling on Safe Harbor is a key business issue that must be dealt with immediately. If you have any issues or concerns about transfers of personal data to the US and other non-EU countries, consult your in-house legal department or Data Protection experts for specific advice. Data Protection authorities are due to take enforcement action from 31 January 2016, so hopefully most organisations have already started assessing their data flows, to determine alternative methods for data transfers.