Irish businesses who transfer personal data to US based entities or who rely on US based processors to manage data on their behalf, such as employee or customer data, are facing uncertainty following a recent ruling of the Court of Justice of the European Union (the “CJEU”) which struck down the US Safe Harbour arrangement as unlawfully breaching EU privacy rights. In this article, Ronan Daly Jermyn’s Data Protection team answer the key questions about the CJEU decision and advise on how you can best place your business to deal with the changes in data protection law.
What is Safe Harbour?
Under the Irish Data Protection Acts, an organisation must meet certain conditions before it can transfer personal data outside of the European Economic Area. For Irish businesses wishing to transfer information to a US based entity, one of the most straightforward means of ensuring a legally compliant transfer was to ensure that the US based entity was signed up to the Safe Harbour arrangement. Under this arrangement US companies agreed to be bound by certain data protection rules, which were intended to ensure an adequate level of protection for personal data being transferred from the EEA.
What is the background to the CJEU decision?
Maximilian Schrems made a complaint to the Irish Data Protection Commissioner in June 2013 and requested that Facebook Ireland be prevented from transferring his personal data to the US. Based on the revelations made by Edward Snowden concerning the activities of US intelligence services, Mr Schrems contended that the US did not ensure adequate protection of the personal data held in its territory against surveillance activities.
The Data Protection Commissioner took the view that it was not required to investigate the matters raised by Mr Schrems as the European Commission had found in its Decision 2000/520 that the US ensured an adequate level of protection with its Safe Harbour Agreement.
Mr Schrems brought an action before the High Court challenging Decision 2000/520. The High Court considered that the decision at issue had to be assessed in the light of European law and referred the issue to the CJEU.
In Schrems v Data Protection Commissioner (Case C‑362/14), the CJEU declared that the US Safe Harbour principles are invalid and do not ensure a level of data protection being compatible with the protection of the privacy and of the fundamental rights and freedom of individuals in the European Union.
How does this impact on Irish businesses?
The decision of the CJEU will have an immediate impact on many Irish organisations including who operate on the US market, those with US subsidiaries and/or branches and those organisations who use US based data processors to store or otherwise manage their data. Businesses can expect their data transfer arrangements to come under greater scrutiny to check whether they are in breach of data protection requirements.
The transfer of personal data to the United US on the basis of Safe Harbour is prohibited and businesses continuing to do so run the risk of being issued with a "prohibition notice" by the Office of the Data Protection Commissioner which prohibits the transfer of data to a country.
The European Union and the US government are currently negotiating a new framework agreement however, in the meantime, Irish businesses should look at putting alternative mechanisms in place to enable the continued transfer of data to the US. Safe Harbour was one of a number of legally permissible processed under which data can be transferred to the US and companies must now consider what alternative approaches may be available to them.
What immediate steps should Irish organisations take?
All organisations should risk assess their data transfer practices to determine what data is being transferred to the US and whether this is on the basis of Safe Harbour. Organisations should also identify whether they use cloud services which transfer and store data in the US.
Terms and conditions already in place with data subjects should be reviewed to determine whether they meet any of the other conditions for lawful transfer to the US, for example, if they provide for adequate consent, as will be discussed below.
Existing data processing agreements and employment agreements should also be reviewed to ensure references to the Safe Harbour Agreement are updated or dealt with appropriately.
What alternatives to Safe Harbour can be relied upon by Irish organisations?
There are a number of situations in which businesses can lawfully transfer data to the US. These include the following:
- EU approved mechanisms such as model contracts or binding corporate rules which enable international transfers of data within a multinational company.
- Personal data can also be transferred to the US without an EU-approved mechanism in the following scenarios which are, however, of limited application:
- the transfer of personal data is required or authorised by law;
- the data transfer is necessary for the performance of a contract to which the data subject is party; or the transfer is necessary for the taking of steps, at the request of the data subject, with a view to his or her entering into a contract with the data controller;
- the transfer is necessary to conclude a contract (or to perform a contract) between the data controller and someone other than the data subject, in cases where the contract is entered into at the request of the data subject, or where the contract is in the interests of the data subject;
- the transfer is necessary for reasons of substantial public interest;
- where the transfer is for the purpose of obtaining legal advice or for legal proceedings;
- the transfer is necessary to prevent injury or other damage to the data subject’s health, or to prevent serious damage to his or her property, or to protect his or her vital interests in some way, provided it is not possible to inform the data subject, or obtain his or her consent without harming his or her vital interests; or
- the personal data to be transferred are an extract from a statutory public register.
- In any other case, the free and informed consent of the data subject enables the transfer of personal data to the US.
Organisations should carefully consider which, if any, of the above exemptions may assist them in transferring data to the US in light of the CJEU decision and if there are any other practical solutions which will facilitate their particular business.
What future developments should Irish organisations look out for?
The European Union and the US government are currently negotiating a new framework agreement. Companies should be positioned to revisit existing contractual arrangements when, and if, a new agreement is put in place with the US.
In addition, the final version of the new Data Protection Regulation is expected to be published before the end of this year and this will bring significant change to the data protection rules that Irish businesses currently operate under.