On 6 October 2015 the Court of Justice in the European Community (European Court) gave its judgment in the case brought by Max Schrems concerning the validity of the US Safe Harbor scheme and concluded that it does not adequately safeguard EU citizens’ personal data.
Facebook’s EU subsidiary is based in Ireland and transfers members’ data to the US for storage. An Austrian law student, Max Schrems, brought a claim in the Irish courts arguing that the widespread surveillance by the US intelligence services of individuals’ data, as reported in the global press, and the lack of any US judicial control of that surveillance meant that his personal data was no longer adequately safeguarded under the Safe Harbor Scheme if transferred to the US.
In a decision of major importance for EU based employers with US operations the European Court found that:
- the European Commission did not conduct proper investigation when it reached its decision in 2000 that the Safe Harbor scheme in the US offered adequate protection of the personal data of EU Citizens transferred there;
- the Safe Harbor scheme is only voluntary and public authorities are not subject to it;
- the US national security, public and law enforcement interests all prevail over the Safe Harbor scheme so that any US company who had adopted the scheme’s provisions would nonetheless be legally bound to disregard the protections it offers to individuals’ data and to make this available to public authorities on demand;
- this generalised power to demand data is contrary to the fundamental right to respect for private life set out in the EU Charter of Fundamental Rights;
- the lack of any remedy under US law by which a data subject could challenge such a demand means that the Safe Harbor scheme does not offer adequate protection to EU citizens' personal data.
What are the implications of this decision?
This is a far reaching decision in that it would appear to mean that no data transfer to the US from an EU state will be lawful so long as US law remains as it is.
As previously reported, there are a number of alternative ways to transfer data outside of the European Economic Area (EEA), including:
- binding corporate rules used within multinational companies, required to be approved by the data protection authority in each EU Member State, regulating the ways in which personal data is transferred within the group;
- model agreements, as provided by the Data Protection Directive, approved by the data protection authorities in each member state and the EU Commission.
With both options, however, if these were now to be implemented between an EU based company to cover transfer, for example, to a US based parent company, it would seem inevitable that they could be subject to the same challenge - that US law permitting generalised data surveillance without any judicial remedy for the individual means personal data is not adequately protected.
Transfer of personal data outside of the EEA can be justified by obtaining consent, however this option should be used with caution. In the employment context the Data Protection Directive defines consent as “any freely given specific and informed indication” of wishes and there is some doubt as to whether consent given by an employee can be regarded as “freely given” in practice.
The EU Commission has for some time been in negotiations with the US Government over revisions to the Safe Harbour Scheme following the disclosures made by Edward Snowden concerning US intelligence services’ surveillance practices. However, these discussions have not been concluded. The EU Commission has already acknowledged in a press release following the judgment the importance of maintaining data flows between the EU and the US, calling them the “backbone of our economy” and has confirmed that it will seek to bring these negotiations to a conclusion.
How should my business react?
This judgment does not specifically require any immediate action by EU companies and the EU Commission have stressed that they will be working with national data protection authorities to agree a coordinated response on alternative means of data transfer. In a press release the ICO confirmed:
“The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time to do this.”
Though it is unlikely that any punitive action will be taken proactively by national data protection authorities in the short term this would not prevent claims being brought by individuals who object to their personal data being transferred to the US.
The practical effect of this decision is likely to provoke much comment and guidance as to how businesses should proceed. All the signs show that efforts will be made to find a way for the transatlantic flow of data to continue but with protections the European Court found necessary following this decision. For the moment the position is clear - employee data cannot lawfully be transferred to the US and EU based companies that up until now have been doing so will at the very least have to commence a review of current data transfer systems to determine how the protections perceived to be lacking in the Safe Harbor scheme can be restored.
Content is for general information purposes only. The information provided is not intended to be comprehensive and it does not constitute or contain legal or other advice. If you require assistance in relation to any issue please seek specific advice relevant to your particular circumstances. In particular, no responsibility shall be accepted by the authors or by Abbiss Cadres LLP for any losses occasioned by reliance on any content appearing on or accessible from this article. For further legal information click here.
Circular 230 disclosure
To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this article (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.