The European Court of Justice (judgment of October 6, 2015 – case C-362/14) has declared the EU Commission’s decision on the so-called Safe Harbor agreement, according to which the agreement offers an adequate level of data protection for the transfer of personal data to the US, as invalid. Accordingly, the Safe Harbor agreement may no longer be used as a basis in data protection law for data transfers to the US. This has significant implications for the entire transfer of personal data to the US, including the data of employees.
The background to the judgment is the EU Data Protection Directive 95/46/EC, which stipulates that the transfer (subject to its permissibility in all other respects) of personal data to a non-EU country is only permitted if the country in question guarantees an adequate level of protection for these data. The EU Commission may determine that a non-EU country guarantees such an adequate level of protection on the basis of its international obligations or national legal regulations. In the case of the US, the EU Commission approved the so-called Safe Harbor agreement, which bridged the gap between the systems of data protection law in the EU and the US, and considered the level of data protection for the transfer of personal data as adequate where the agreement was complied with. US organizations could subject themselves to this legal framework by way of voluntary agreement. More than 4,000 US organizations did this and then used Safe Harbor as a basis for their data transfers.
3. The ECJ judgment
The ECJ judges have declared the Safe Harbor agreement invalid. The reasons given consisted in criticism of numerous aspects of the agreement, in particular of the fact that the agreement gives global prevalence to “national security, public interest, or law enforcement requirements” over the principles of the safe harbor. Furthermore, the court reasoned that the US lacks a public authority which restricts any violations of basic rights of persons whose data are transferred, and that the agreement lacks provisions on the existence of effective legal protection by the courts against such violations.
4. Implications of the judgment and options for action
Safe Harbor may no longer be used to certify an adequate level of data protection in the US for the transfer of personal data to the US. Any data transfers that rely on the agreement are pro-hibited. Accordingly, it is important to know about the alternatives to Safe Harbor in order to guarantee permissible data transfer to the US. Options that can be considered include using (EU) standard contractual clauses and binding group-wide company regulations (binding corporate rules).
EU standard contractual clauses are model contracts on data protection issued by the EU Commission that have to be adopted unchanged in the data processing agreement with the companies involved which process data. The Commission has declared that use of the EU standard contractual clauses constitutes an adequate level of protection. Where these clauses are used the data transfer does not require authorization by the supervisory authority. However, problematically, these clauses are not particularly flexible, and have to be applied without amendment. Any deviation from the standard contractual clauses renders the data processing agreement subject to authorization. Furthermore, even where they are used as required, the national supervisory authorities retain powers to inspect and interfere in individual cases.
Section 4c (2) of the German Federal Data Protection Act (BDSG) allows the use of contractual clauses other than those of the EU. However, the intended transfer is then fully subject to inspection and authorization by the supervisory authority. The disadvantage of all contractual clauses is that they are devised for bilateral relations. As soon as complex multi-person relations need to be secured in data protection terms, the number of required contract conclusions increases immensely, which can result in unwieldy contract management. This particularly applies to groups of companies which operate internationally, which is why in these cases binding corporate rules are likely to provide a more practicable solution.
Binding corporate rules, or codes of conduct, are bindingly implemented guidelines which apply uniformly to the management of all companies in the group. However, these regulations may only be used for group-internal data processing, not for data transfer to third parties ex-ternal to the group, and must be bindingly implemented internally (e.g. by way of contractual agreements of the group companies, or binding directives). Works agreements are not usually suitable for this purpose unless they are included in the relevant company regulations and therefore binding both on the transferring and the processing entity. In order to guarantee an adequate level of data protection, company regulations must reflect the core elements of the EU Data Protection Directive.
5. Notes on transferring and processing employee data
It is important to note that the ECJ’s Safe Harbor judgment concerns only the question of an adequate level of data protection in the context of transfer to the US. Upon transfer of employee data this may now only be provided through standard contractual clauses, individual agreements requiring authorization, or binding corporate rules.
However, the data processing must in addition always be justified on its merits. For employee data, a possible basis for such a justification could be Section 32 BDSG, the conditions of which must in all cases be assessed with care. In addition, works agreements may in principal justify data collection, use and processing pursuant to Section 4 (1) BDSG. However, this will only apply if they also bind the data recipient, which in turn can only be achieved through a contractual provision. Where special attributes of identification (such as religion etc.) are included in the employee data, these may moreover constitute especially sensitive data, which may establish an interest worthy of protection of the affected person to prevent data being transferred abroad. There is an assumption that the transfer of employee data in multinational companies is justified if it is clear upon conclusion of the employment contract that the employee will be working group-wide and the data processing as such is “necessary” for establishing, implementing or terminating the employment in question. Accordingly, e.g. international group databanks which list the skills and professional experience of employees (skill databases) may be permissible if they serve the purpose of internal work planning and employees are given the option to object to being included. This also applies to data transfer in the context of internationally required compliance and risk management structures. However, these require careful preparation and implementation.