Your steer through the choppy waters
The European Court of Justice (ECJ) has today ruled that the Safe Harbor regime is no longer considered to provide adequate protection for personal data transfers from the EEA to the USA.
On 23 September 2015 the Advocate General (AG) delivered a non-binding Opinion in the case of Maximillian Schrems v Data Protection Commissioner (Case C‑362/14).
Today has seen the adoption of the AG's recommendations, with the ECJ ruling that:
- when dealing with a complaint, national supervisory authorities must be able to examine, with complete independence, whether the transfer of a data subject's personal data to a third country outside of the EEA complies with the requirements laid down by the Directive; and
- the Commission Decision (2000/520/EC of 26 July 2000) that confirmed the adequacy of the protection provided by Safe Harbor principle is invalid, due to the inadequate protection it gives to EU personal data.
Consequently, any businesses currently relying on the Safe Harbor regime to transfer personal data between Europe and the US will need to look at alternative methods to ensure these take place in accordance with European data protection law.
In a short press release this morning the Information Commissioner (ICO) indicated that, in line with today's ruling, it will not treat a transfer of personal data to a Safe Harbor certified company as an adequate transfer for the purposes of Principle 8 of the Data Protection Act by highlighting that there are other methods of transferring personal data to the US in compliance with European data protection law. For example, the European Commission’s standard contractual clauses, commonly referred to as “Model Clauses". Early indications therefore suggest the ICO will require businesses to adopt these alternative measures.
As usual, the ICO is expected to take a pragmatic approach and has already acknowledged that required changes would take time for businesses to implement. In comparison, we are less confident that other European regulators will take the same view notably in France, Spain and Germany.
US Safe Harbor Service Provider Response
US Safe Harbor service providers are already taking proactive steps in light of the judgment. Some major players have already written to European based customers, making available a data processing addendum that incorporates the Model Clauses.
Steps to be taken now
European based companies are advised to:
- carry out an audit of all existing contracts involving the transfer of personal data from the EU to the US under Safe Harbor;
- prioritise suppliers on the basis of volume and sensitivity of personal data.
If presented with Model Clauses agreements from US suppliers, European companies should:
- ensure the correct version has been provided depending on the designation of the service provider as a data controller or data processor;
- assess the security measures appended to the Model Clauses against its own IT security standards; and
- ensure that the processing description schedule accurately reflects the personal data and the purposes for which it is transferred
Words of Caution
As words of caution, although following the judgment the Model Clauses remain a method of transferring personal data outside the EEA in compliance with European law, the court's rationale behind the finding that Safe Harbor was inadequate was that the US government has powers to demand personal data and monitor information once in the US, regardless of membership of Safe Harbor. Although the Model Clauses do contractually prevent the service provider providing such access, the same powers will be available to the US government even when Model Clauses are in place.
More broadly, readers should note the decision of the ECJ potentially opens the scope for national data protection authorities to challenge other decisions of the European Commission (such as, the Model Clauses).
We await further commentary from the European Commission on this point.
At today's press conference the European Commission discussed its desire to work with the US in order to establish a "safer" Safe Harbor regime. While no specific timeframe was identified, the Commission conveyed its continued commitment to conclude negotiations in order to bring commercial certainty to business arrangements involving such data transfers.
We expect a full response and further guidance to be issued by the UK ICO in the coming weeks and will continue to monitor responses from the regulators in other EU member states.