Stormy seas ahead? Safe harbour no more16 Oct 2015
Spotlight on European Data protection privacy laws as ECJ Provisional Ruling provides that Safe Harbour agreement is invalid.
On 6 October 2015, the European Court of Justice (ECJ) invalidated the 15-year-old legal agreement known as Safe Harbour, which permitted personal data to be moved from the EU to the US for “processing” (which covers most use of data, including simply recording and holding it).
The provisional ruling is likely to affect more than 4000 companies (including Google, Apple, Microsoft, and Facebook) that relied on Safe Harbour to transfer data to the US, as well as businesses that use systems such as Office 365 and Google Docs. Companies will now face scrutiny from data regulators in European member states and could be forced to host European user data in Europe, rather than the US. The likes of Amazon and Google have already started building data centres in Europe in anticipation of the move.
Why did it happen?
The decision arose following an action against Facebook in Ireland as a result of Facebook’s participation in US mass surveillance. This was highlighted by whistle-blower Edward Snowden’s infamous National Security Agency leak.
The Irish Data Protection Commissioner refused to investigate a complaint about Facebook transferring the personal data of its users to the US and storing it on servers located in the US, on the basis that the data was protected by the blanket allowance provided by Safe Harbour.
The ECJ ruling provided that the previous decision allowing a transfer of data to a third country, which ensures an adequate level of protection of the personal data transferred, cannot eliminate or reduce the powers available to the European national authorities in respect of data protection. In other words, the US cannot be relied upon to adhere to and apply European data protection and privacy standards, and the European Commission’s Safe Harbour agreement cannot usurp the powers of national authorities.
What does it mean?
The immediate effect of the ruling is that the European national authorities are unable to use Safe Harbour as a reason not to investigate data-protection practices in the US. However, more significantly, the ruling also removes the ability of companies to rely on Safe Harbour as an adequate protection when sending data gathered in the EU to the US for processing. It is not yet clear how widespread the disruption to the day-to-day operation of companies will be, but the ability to pool data from both sides of the Atlantic for analysis will be affected.
In the UK, The Information Commissioner’s Office (ICO) has issued a statement and plans to consider the judgment in detail with data protection authorities in the EU, with a view to issuing further guidance for businesses – more details of which will be issued over the coming weeks. Negotiations for a more privacy protective arrangement to replace Safe Harbour are already well underway.
What to do now if you rely on Safe Harbour
In the meantime, the European Commission has recommended that transatlantic data flows between companies be conducted using other methods that enable the protected international transfer of personal data in accordance with EU data protection law. Such alternative methods include the use of standard contractual clauses and Binding Corporate Rules. Some companies will be signed up to such arrangements already, but, if you are transferring personal data to the US, you should check the right documentation is in place to protect the data.
It is hoped that the legal uncertainty surrounding transatlantic data transfers will be addressed by the European Commission, ICO and associated bodies sooner rather than later; but, in the meantime, you should ensure that you and the companies you are contracting with are compliant with relevant data protection laws.
Contact us or call 0161 832 3434 if you have any queries about data protection or would like us to review any contracts for compliance with data protection laws.