Do you worry about the extent to which corporations protect your personal data? An Austrian law student (Max Schrems) acted on such concerns and, as result, toppled a 15 year old international legal agreement between the EU and the US which facilitated the flow of huge quantities of data across the Atlantic. On 6 October 2015, the Court of Justice of the European Union (in Maximilian Schrems v Data Protection Commissioner) invalidated the EU-US Safe Harbor agreement with immediate effect, sending shockwaves through the digital world.

The ruling is a highly significant development for companies involved in the transfer of personal data from the EU to the US, and means that a vast number of on-going data transfers from the EU to the US may now be unlawful.

Backdrop

The transfer of personal data outside the EU is tightly restricted.  In summary, companies can only transfer personal data outside the EEA if adequate protection is ensured for that data in the country to which it is sent. EU data protection laws are some of the strictest in the world, offering protection far beyond that available in the US and many other countries. The US is therefore one of many countries whose data protection laws are considered by the EU to offer an inadequate level of protection to personal data sent from the EU. 

The Safe Harbor agreement sought to overcome this difficulty by establishing a framework between the US and the EU to essentially allow for easy and legal transfers of personal data.  Under the agreement, US companies could self-certify that they comply with the EU’s data protection requirements, thereby allowing personal data to be legally transferred to these companies from the EU.  Over 4,000 tech companies, including giants such as Google, Facebook and Microsoft, relied on the Safe Harbor to ensure the legal transfer of huge quantities of data from the EU to their servers in the US.

The collapse of the Safe Harbor can be traced back to early June 2013, when the man behind the biggest intelligence leak in history made the journey from patriot to one of America’s most wanted men.  Former National Security Agency contractor Edward Snowden leaked thousands of top-secret documents to the public, revealing details of extensive internet and phone surveillance by American intelligence.  These revelations suggested that, despite the Safe Harbor, European data stored by US companies was not adequately protected.

In the wake of the Edward Snowden leaks, Max Schrems brought a case before the Irish High Court relating to the transfer of his personal data provided to Facebook Ireland (Facebook’s European headquarters) to Facebook servers in the US. All EU Facebook subscribers’ data is transferred to the US via this route. Schrems argued that the Safe Harbor did not offer adequate protection to his personal data, given the access provided to it by Facebook to US government and law enforcement agencies. The case was referred to the ECJ, who invalidated the Safe Harbor, stating that US companies were “bound to disregard, without limitation” the EU’s privacy requirements.

Practical implications

English companies which rely on the Safe Harbor in order to transfer data to the US now need to immediately consider alternative means of complying with the Data Protection Act 1998 in relation to such transfers. Such methods include (but are not limited to):

  • Obtaining explicit written consent from individuals to the transfer of their personal data to the US.
  • Using standard contractual clauses issued by the European Commission. Binding the recipients of data based in the US to such model contracts equates to a contractual obligation on the US-based recipient to provide an adequate level of protection to the data transferred. 
  •  Using ‘Binding Corporate Rules’ (BCRs) in circumstances where a transfer is made from an English company to a US-based group company. BCRs are approved by the Information Commissioner’s Office (ICO) and act as a legally enforceable framework setting out how each company in a group treats the personal data it processes.

However, so long as the US recipients of data are required to allow US authorities wide-ranging access to that data, the methods of compliance set out above (particularly the latter two) are vulnerable to a potential declaration of invalidity by the ECJ should they come under a similar challenge to that faced by the Safe Harbor.

The ICO has stated that it will shortly issue guidance for businesses on the options available to them following the Safe Harbor judgment. It seems unlikely that the ICO will start issuing fines to companies who are still transferring data in reliance on the Safe Harbor prior to the release of such guidance. Nonetheless, affected businesses are urged to review their methods of compliance sooner rather than later. The clock is ticking.