Following last month’s preliminary opinion from the European Court of Justice (ECJ) Advocate General, the ECJ yesterday ruled that organisations cannot rely upon the European Commission approved Safe Harbor scheme when transferring personal data from the EU to the United States.
What is Safe Harbor?
Safe Harbor is a self-certification scheme operated by the US Federal Trade Commission and approved by the European Commission for the purposes of the eighth data protection principle. The eighth principle states that personal data may not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for data subjects in relation to that processing.
Safe Harbor is used by a large number of organisations in Europe as a streamlined way to transfer personal data to the United States in compliance with EU data protection rules. Such transfers frequently arise when using cloud-based technology and data centres or other outsourced services and for intra-group data transfers.
More than 5,000 US organisations are Safe Harbor-certified, including a number of major technology companies and international businesses.
The ECJ’s concerns relate to a perceived failure of Safe Harbor to protect the personal data of EU citizens from surveillance from US law enforcement agencies.
In short, it held that a blanket authorisation approach is incompatible with the requirements of EU data protection laws.
The effect of the ruling is to invalidate the legal basis on which many organisations transfer personal data to the United States, causing potential chaos and uncertainty for many organisations.
Whilst there are alternative ways of complying with the eighth principle, identifying the relevant processing arrangements and putting those new measures in place will be time consuming and administratively challenging for many organisations.
In a press release issued following yesterday’s ruling, the UK Information Commissioner’s Office (ICO) notes that it is incumbent on regulators and legislators to provide a “considered and clear response” to the judgment.
The ICO will be considering the judgment working alongside its counterpart regulators in other EU member states and will be issuing further guidance to organisations that currently rely upon Safe Harbor. The ICO expects to publish initial guidance in the coming weeks.
In the meantime, organisations should start now to identify those arrangements where they rely upon Safe Harbor certification, the data involved and whether those data transfer arrangements are of critical importance to their organisation.
Organisations should also ensure that they do not enter into any new contracts that rely upon Safe Harbor.
Once identified, organisations will then need to look at what steps can be taken to ensure that processing complies with EU laws – for example:
- changing the processing or hosting arrangements so that, for example, data is hosted only within data centres in the EEA (and not accessed by personnel outside the EEA) or limiting the sharing of personal data
- putting in place data transfer agreements using the model clauses approved by the European Commission for international data transfers.
Several major technology providers have already said that they will be making available to EU customers a “data protection addendum” that incorporates the model clauses. Microsoft last year announced that the Article 29 Working Party had approved a set of Microsoft terms as being adequate for the purposes of the eighth principle.
If you would like to discuss the implications of the ECJ’s judgment for your organisation, or need assistance in identifying and reviewing your data transfer arrangements, please contact me or your usual Brodies contact.
On October 7, 2015