The European Court of Justice (ECJ) has ruled that personal data from the European Economic Area (EEA) may no longer be sent to the US under the ‘Safe Harbour’ data transfer scheme, meaning that companies may now have to revisit their privacy and data protection policies and the terms of any transatlantic data transfer agreements entered into.
The Safe Harbour scheme was intended to enable US technology companies to manage transatlantic data flows, enabling them to self certify that they have appropriate data privacy measures in place when dealing with data from the EU. Since its ratification by the European Commission in July 2000, ‘Safe Harbour’ provisions have been utilised as a core structural component by thousands of US companies and now underpins most data, social media and cloud storage offerings, to avoid breaking EU data protection rules.
The ruling (Schrems C-362/14) concerns a challenge by an Austrian privacy campaigner against the Irish Data Protection Commissioner over concerns that Facebook, by sending EU personal data to the US for processing, might be sharing information with US spy agencies – following revelations by Edward Snowden of the routine monitoring of communications data by the US National Security Agency (NSA).
Data privacy is as a fundamental principle of EU law which forbids personal data from being transferred to and processed in parts of the world that do not provide “adequate” privacy protections.
The ECJ ruled that the provisions of the Safe Harbour agreement did not eliminate the need for national privacy watchdogs to check that US businesses were taking adequate data protection measures when handling EU data; recognising that the Safe Harbour scheme did not apply to US public authorities, and that US businesses were bound to disregard its application should a request by a US law enforcement agency be made to access any data held, which requests are also not subject to judicial redress.
- The ECJ’s decision means that the Irish regulator must now decide whether Facebook’s EU-to-US transfers should be suspended on the grounds that that country does not afford an adequate level of protection of personal data, compared to the EU. But more broadly the ruling holds that EU personal data should no longer be transferred to any US entity solely on the basis that they are Safe Harbour-certified.
- For many of the largest and most sophisticated social media and cloud storage operators, the ECJ ruling may have a significant impact; requiring them to ‘gold plate’ their data protection systems to comply with the tougher EU requirements, as well as to mitigate against the concerns of users over outside interference or access. Some high profile file sharing and IT entities have already announced that they will have to bolster their systems as a result of the ruling, which was delivered earlier than some had anticipated.
- In order for many US companies to handle EU data, they will likely now have to amend their user terms, including implementing the EU Commission’s approved ‘model contract clauses’, which set out the US data importer’s privacy obligations and which detail the data involved and the security steps being taken to protect against outside access or interference – including notifying the (EU) data exporter of any legally binding request for disclosure of the data held, and that liability for any breach of the clauses will be governed by the law of the member state of the data exporter.
- The model clauses cannot however be amended and separate agreements will therefore have to be reached between the US provider and each of its EU clients, which may present administrative issues and delay.
- For group company data transfers, companies may alternatively seek to put in place updated binding corporate rules (BCRs), which may also take time to agree, or where possible seek to anonymise any personal data transferred – which transfers would then fall outside the scope of the EU data protection rules. UK data protection laws alternatively enable UK data controllers to carry out their own assessment of the adequacy of data protection afforded by non-EEA operators’ national regulation – albeit such assessments may be challenged at the national and EU level.
- A more practical, longer-term solution, may however be to ensure that any EU users give their unambiguous consent to the transfer of their personal data outside of the EEA (including to the US). This may require amending standard terms and conditions as well as data protection and privacy policies, and to ensure that such consent is specific, informed and freely given – the UK regulator’s current acceptance of implied consent may not hold valid here.
For UK and EU-based data handlers and exporters, the practical requirement is therefore to ensure that whatever transatlantic data sharing service is provided, including any third party service utilised, is compliant with EU data protection rules.
In the short term this may include agreeing a variation of service terms – we are already seeing clients receive requests from US providers to include addendums to their user terms and conditions to incorporate the model contractual clauses – as well as amending their own user terms, and processes, to ensure that they obtain specific consent to data transfers outside of the EEA.
The European Commission, in response to the ruling, has stated that it will issue clear guidance in the coming weeks to avoid conflicting decisions by EU member states’ data regulators. A stance echoed in a communication by the UK Information Commissioners Office.
More broadly, the hope is that the ruling will encourage the resumption of a delayed agreement between EU and US regulators over updated transatlantic data sharing rules – Safe Harbour 2.0 – which had stalled as a result of concerns over the degree of access to communications by intelligence agencies, as well as delays in talks aimed at allowing European companies to sue companies in the US for misusing their data.
If you are concerned about the implications of the ECJ ruling to your business, your contractual terms, data protection and privacy policies, then in the first instance please contact Tris Moore at [email protected]
The information presented is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. Internet subscribers and online readers should not act upon this information without seeking professional counsel.