Executive summary

  • UK businesses which transfer to or share with US companies any databases containing personal data have to comply with rules set out in the Data Protection Act to ensure that the transfer or sharing protects the individuals’ privacy rights.
  • One way of doing this was a voluntary scheme set up by the US Department of Commerce called “Safe Harbor”. The EU’s highest court has now ruled that Safe Harbor is not fit for purpose and cannot be used.
  • Transfers/sharing which relied on Safe Harbor therefore breach the DPA and, after 31 January 2016, further transfers risk enforcement action, including fines.
  • Other compliance methods can be used instead, but these need to be put in place quickly to stay within the law.

Do I need to read this?

Yes, if:

  • your business keeps personal information about staff, customers, suppliers or contacts or any other database containing personal details about individuals who live in the EU; and
  • you send this information to companies based in the USA (either because they are providing you with a service, such as cloud storage or data processing) or as part of a data sharing arrangement.

The US company you are sending your information to may be relying on the US Department of Commerce’s “Safe Harbor” Scheme to allow it to keep and use personal information without putting you in breach of EU data protection laws, such as the UK’s Data Protection Act 1998 (DPA).

You should check the arrangements with the US entity to find out if they have been relying on Safe Harbor, or using a different mechanism to comply with EU rules. If they have been relying on Safe Harbor, then this note applies to you.

How will I know if the US entity we send information to is using Safe Harbor?

Whenever you send or share a database containing personal data (i.e. personal information about living individuals: this description includes any personal information, even if the person’s name is not included) to someone else, you must have a contract with them to make sure that you are complying with the DPA. With US companies relying on Safe Harbor, the contract should state this.  The list of US companies using Safe Harbor can be found at: https://safeharbor.export.gov/list.aspx

If you do not have a written contract with the US entity, there is a good chance that you are already breaking the law. The rest of this note outlines routes that you may be able to use to resolve the issue.

What does Safe Harbor do and why do I need it?

The law in this area is harmonised across the EU but in this note, we will use the provisions of the UK’s DPA.

The Eighth Data Protection Principle under the DPA states that data controllers must not transfer personal data to a country outside the European Economic Area (EEA)[1] unless the country concerned has been certified by the EU as ensuring an adequate “level of protection” for the rights of those individuals.  If the level of protection is not adequate, then other steps must be taken (such as use of standard contract terms) to give the required protection in some other way.

The list of countries whose laws are deemed sufficiently tough to give an adequate level of protection is still fairly small. However, to allow US companies to accept personal data from European customers, partners and affiliates, the US government created the Safe Harbor scheme.  This is essentially a voluntary declaration and self-certification by US companies who sign up for the scheme that they will offer basic protection and rights for individuals whose information they receive from Europe.   The scheme was certified by the EU to the effect that any US company participating in the scheme was deemed to offer an adequate level of protection, meaning that UK businesses could transfer personal data to them without breaking the Eighth Principle outlined above[2].

What has happened to Safe Harbor?

Mr Schrems, who is a well-known privacy campaigner, complained to the Irish data protection authorities that his data had been supplied to Facebook in the USA under the Safe Harbor scheme, but he claimed that the revelations by Edward Snowden in 2013 showed that, in reality, the Safe Harbor scheme offered no protection against surveillance by US government agencies. When the Irish authorities rejected the complaint, Mr Schrems went to the Irish courts, who in turn asked the EU’s highest court, the Court of Justice of the European Union (CJEU) to review the matter.

In its judgment in October 2015[3], the CJEU stated that the Safe Harbor rules would permit US security agencies to indiscriminately access data held by US companies, without any kind of check on whether the access was necessary or proportionate, and without ensuring that there was any mechanism for EU individuals to complain.  On this basis it ruled Safe Harbor did not offer adequate protection and the EU’s decision accepting the scheme as such was therefore annulled.

This means that UK businesses can no longer accept Safe Harbor certification from their US suppliers or partners as a basis for their compliance with the Eighth Principle of the DPA.

When will this be effective?

Immediately. But most EU authorities have said that they will not take any enforcement action until the end of January 2016. After that, transfers made by UK businesses to US entities using only Safe Harbor will be breaking the law, opening the prospect of enforcement steps, including fines.

So what do I do now?

Don’t panic. There are other ways of complying with the law.

The simplest and safest way is to put in place a contract with the US recipient that uses Standard Contract Clauses which have been approved by the EU[4].  These clauses must be used unamended and you need to select the one that suits the relationship best (the distinction being whether the US entity is merely “processing” information in accordance with your instructions, or whether they are taking the information and control how it is then used).    Some commentators have noted that the standard clauses suffer from the same deficiency as Safe Harbor, in terms of levels of protection offered in respect of US government monitoring; we think this is correct, but the only body that can annul the EU decision adopting the standard clauses is the CJEU, and any case is likely to take two to three years to get that far, so for the medium term at least, the standard terms will do the job.

If the standard clauses are not appropriate, there are other mechanisms that can be used, such as an ad hoc assessment of the level of protection available and a bespoke contract, although these alternatives come with their own baggage of complexity and risk. If you are dealing with a US entity of any substance, they are more than likely to have considered how to deal with the development and have proposals ready for this.

Is Safe Harbor gone for good?

In the longer term, the likelihood is that Safe Harbor will be resuscitated: the EU Commission and the US government were already discussing improving it, and the US government has signalled that it will provide a system of oversight in the work of US surveillance agencies, and provide a means for EU residents to complain about how their information is used by US companies operating under Safe Harbor[5].  A bill which goes some way to dealing with the latter point is currently going through Congress.  There is currently a sense of urgency about agreeing Safe Harbor II (or “Spawn of Safe Harbor” as we have heard it called), but our prediction is that it will probably not be ready by the end of January 2016.