logo text

Tuesday 6 October 2015

US Safe Harbor Scheme no longer “Safe” for International Data Transfer

On 6th October 2015, the Court of Justice of the European Union (the “CJEU”) delivered its judgment in the case of Maximillian Schrems v. Data Protection Commissioner (Case C-362/14) - see here for the full CJEU press release. 

The judgment was not altogether unexpected given the earlier Opinion of the Advocate General on 23 September 2015 but has still sent shockwaves through many industry sector bodies and organisations who already carry out international data transfers to the USA themselves or by using third party service providers to do so on their behalf.  

Safe Harbor no longer Safe

The CJEU found in its judgment that: 

i.          The US Safe Harbor Scheme is Invalid

The CJEU made it clear that it alone has the power to examine the validity of a European Commission finding of adequacy in relation to “safe” or “permitted” international data transfers and in this case has decided that Decision 2000/520/EC on the adequacy of the protection afforded by the US Safe Harbor scheme (“EC Safe Harbour Decision”) is invalid. 

This means that the Safe Harbor scheme used by more than 5,000 US companies can no longer be relied on as a lawful compliance mechanism permitting personal data about European data subjects to be transferred to the USA.

For those not familiar with the background to this case, in brief terms:
  • The US Safe Harbor scheme was challenged by a Facebook user, Maximilian Schrems, following the Edward Snowden revelations about interception of communications by US intelligence agencies. 
  • It was alleged that the NSA had accessed data about Europeans and other foreign citizens stored by the US tech giants via a surveillance scheme called Prism.  
  • Schrems argued that US law and practice didn’t therefore offer sufficient protection against surveillance by public authorities of personal data transferred to the US and asked the Irish Data Protection Commissioner to investigate what information Facebook might be disclosing. 
  • The Irish Data Protection Commissioner rejected Schrems’ complaint and request on the basis of the EC Safe Harbour Decision.  
  • Schrems contested the decision and the matter was referred to the CJEU.

This CJEU judgment seems to have been made on the basis that:

(a)   The Safe Harbor scheme only applies to U.S. undertakings which are Safe Harbor registered, not to U.S. public authorities.

(b)  US national security, public interest and law enforcement requirements take precedence over the Safe Harbor scheme and when a conflict arises U.S. undertakings must disapply the Safe Harbor rules.  US Public law enforcement authorities which obtain personal data from organisations in the Safe Harbor scheme are not obliged to follow the Safe Harbor rules after disclosure

(c)   US law also allows storage on a general basis of all personal data relating to individuals whose data is transferred from the EU to the US irrespective of the reasons why and without any consideration as to when this data can be accessed and used by US public authorities.

(d)  The Safe Harbor rules don’t provide adequate rights for individuals to access their data or to require it to be rectified or erased where appropriate.

"I very much welcome the judgement of the court, which will hopefully be a milestone when it comes to online privacy," said Max Schrems on learning of the judgment.  "It clarifies that mass surveillance violates our fundamental rights." 

(ii)  National DPAs must make their own finding of Adequacy

National data protection authorities have the power to examine whether international data transfers comply with the EU Data Protection Directive (95/46/EC) (“EU Directive”) and to suspend them if they are not in compliance.  This power exists even where the European Commission have made a previous finding of adequacy provided by a non-EU country (i.e. in relation to the Safe Harbor Scheme) as DPAs have independent powers granted under the EU Directive.

National DPAs may therefore decide to prohibit or suspend international data transfers made under the US Safe Harbor Scheme if their investigation into the transfer finds that the transfer does not provide adequate protection.

So what happens next for Facebook?

In relation to the Facebook case, the Irish Data Protection Authority must now carry out a thorough investigation, exercising all due diligence, to decide whether the transfer of data to the US in relation to European users of Facebook should be prohibited on the basis that the Safe Harbor scheme no longer creates a permitted compliance mechanism.

And what about the rest of us?

While this case may seem, on the face of it, to be about taking on the mighty Facebook, in reality it is about all transfers of personal data to the US by all organisations.   \These may include
  • Data transfers to head offices in the US or transfers sent to the US for particular service provision - either directly by organisations or via their sub-contractors; 
  • transfers for data back-ups, CRM, accounting, payroll and personnel record hosting or services, data analytics, IT services, surveys carried out etc.  
The case therefore has wide-reaching implications for all organisations who transfer information from Europe to the USA. As a result, many industry sector bodies and organisations have been left reeling from the news of this case - each scrabbling to consider the full implications of the CJEU decision for them.

In essence, the many thousands of organisations carrying out international data transfers to the USA themselves (or using third party service providers (data processors) to do so on their behalf):
  • Should no longer transfer personal data to US organisations solely on the basis that they are Safe Harbour registered;
  • Are likely to face a huge additional compliance burden, potentially having to liaise with numerous European data protection authorities rather than relying on the Safe Harbour scheme; and 
  • Will undoubtedly have to carry out more costly privacy impact assessments and put more legal paperwork in place to justify their US data transfers. 
The EU Article 29 Working Party, the UK Information Commissioner’s Office and the Spanish DPA have already published statements (see links provided) on the judgment.  In basic terms these statements say they will consult with other EU data protection authorities to issue guidance for organisations on what to do next.  The European Commission has also said that it will issue "clear guidance" in the coming weeks to prevent member states' data authorities issuing conflicting rulings.

Organisations will be keen to see this regulatory guidance published sooner rather than later as following the decision they may no longer have a compliant mechanism permitting data transfers to the USA. While there are potentially other legal pathways allowing compliant data transfers to take place, many will require further work, analysis, justification and paperwork before they can be relied on.  This will take organisations time to properly consider.  And yet the CJEU decision creates no time… there is no transition period to allow a new mechanism to be found, with the result that many organisations have become technically in breach of the legislation overnight.  

Many of us practitioners hope that the EU and US will agree a new compliant transfer agreement or system - but unfortunately this may be slow in coming as we understand that there have been ongoing negotiations for several years - trying but failing to agree on a better solution.

Watch this space!

If you require any further information or advice on how to stay compliant when transferring data to the US, on implementing the European standard contractual clauses to ensure compliance, or indeed with any other data protection or privacy matter then please do not hesitate to contact Pritchetts.

No comments:

Post a Comment