The End of Safe Harbour

The Court of Justice of the European Union (“CJEU”) handed down its long awaited and seminal judgment Schrems v. Data Protection Commissioner (C-362/14) on 6 October, 2015. The Commission Decision 2000/520/EC (the “Safe Harbour Decision”) which underpinned the US 'Safe Harbour' arrangement was invalidated by this decision, with the effect that it is now no longer lawful to transfer data from the EU to the US under this framework.

The CJEU ruled that the Safe Harbour Decision process is invalid on the basis that it allows for interference by US public authorities with the fundamental rights of persons "without limitation". The fact that the Safe Harbour Decision allowed for US public authorities to have general access to the subject matter of electronic communications was regarded by the CJEU as "compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter".

Although the impact of this ruling is not to restrict the transfer of personal data to the US from the EU altogether, and simply works to invalidate Safe Harbour as a legal process facilitating that transfer, its invalidation is likely to have a massive impact. The certification that a company in Europe could once rely upon as providing a sufficient legal basis for transferring personal data to the US has been removed with immediate effect.

New EU-US Framework
On 2 February 2016, just four months after the Safe Harbour Decision, the European Commission announced that a new framework allowing for the transatlantic transfer of personal data is to be put in place. The new proposed structure - which will be known as the EU-US Privacy Shield- intends to address a number of the issues which led to the collapse of Safe Harbour as an effective transfer mechanism. Amongst the information known on the privacy shield, thus far, relates to;

  • the appointment of an ombudsman to deal with complaints of EU citizens; and
  • the establishment of a three step redress process which focuses on encouraging individuals to firstly bring their complaint to the relevant company, and availing of a free dispute resolution procedure and arbitration process, administered by the ombudsman, thereafter.

In addition, in order to ensure greater viability and security, it is proposed that the US Government will provide guarantees to safeguard EU citizens, and US organisations processing personal data will be required to comply with stringent obligations and enforcement mechanisms under the framework.

Going Forward
It is expected that arrangements for the implementation of the new privacy shield will be finalised by the EU and US within the next three months. Until full details are published, it remains difficult to accurately assess just how effective and successful the EU-US Privacy Shield will be.

In the meantime, if companies are transferring data to the US, it is important that they carry out an assessment of their existing data transfer processes and related agreements to ensure that the transfers are not being made pursuant to safe harbour.

Until the EU-US Privacy Shield has been properly implemented, companies should look to alternative transfer mechanisms, such as the EU approved model contracts, to allow for the transfer of data to continue.