Safe harbor ruled invalid!

The CJEU has published its ruling on a case brought by an Austrian law student, Maximillian Schrems. The finding of the CJEU is that the decision of the European Commission on the adequacy of US Safe Harbor, is invalid.

Detailed review of the background to this important case and legal analysis are set out in a full briefing note, which can be viewed here. The consequences of this decision are likely to be far-reaching, including for UK employers. Accordingly, key extracts for employers from the more expansive briefing note are as follows:

What are the consequences now Safe Harbor is invalid?

The impact of this ruling is far reaching, not only for the thousands of companies that have themselves certified under the Safe Harbor scheme but for the many thousands more that trade with those businesses and disclose personal data to them believing they can do so lawfully. The Safe Harbor scheme underpins a great deal of international trade and services, in particular the use of cloud and other technology based services, so its impact will be felt by very many employers and across most sectors.

Following the CJEU ruling, the Commission held a press conference at which it appeared to confirm that Safe Harbor is immediately invalid.  Therefore, further reliance solely on Safe Harbor certification will presumably not be lawful and no ‘sunset period’ will be granted while other adequacy mechanisms are implemented by affected businesses. The Commission went on to say that it “…will come forward with clear guidance to [Data Protection Authorities] on how to deal with data transfers to the US in light of [the Ruling]”.

Whilst it seems unlikely that any Data Protection Authority (DPA) would instigate enforcement action against any companies relying on Safe Harbor for the immediate future or until guidance is published by the Commission, DPAs (including our own Information Commissioner) may find their hands tied with respect to employers if disgruntled employees start issuing complaints on the basis of this ruling. Further, employees could also issue claims directly against their employers were they to  transfer their data without alternative protective mechanisms in place or any applicable exemptions.

What should employers do?

In practical terms, employers relying on Safe Harbor should take immediate steps to ensure adequate protection. In commercial terms, this might involve entering into EU Model Clauses or (where transfers are made internally within the group) considering Binding Corporate Rules but, from an employment perspective, will require close scrutiny of HR and record-sharing practices.

Until such time as any further rulings are made, emphasis on real operational adequacy of protection is needed - not just paperwork – so that protection can stand up to scrutiny if the Information Commissioner is called upon to investigate the transfer.

Interestingly, prior to the ruling, the Commission was in negotiations with its US counterparts in relation to the future of the Safe Harbor scheme and the Commission has, this afternoon, confirmed those negotiations will continue. This ruling by CJEU will surely accelerate the speed at which these negotiations progress and, accordingly, there may be a replacement to Safe Harbor in the future.

Maximillian Schrems v Data Protection Commissioner