In the wake of a recent Court of Justice of the European Union (CJEU) decision invalidating the “Safe Harbour” policy, what are the practical repercussions for Irish entities that may previously have been transferring personal data to the US under Safe Harbour?
What is Safe Harbour?
Simply put, a policy whereby personal data gathered in the EU could be transferred to the US in compliance with EU data protection laws. Under EU laws personal data cannot be transferred out of the European Economic Area to a third country unless it is protected under a regime akin to EU law. Safe Harbour allowed companies to self-certify that they had adequate protections in place in the US, thereby affording any such data the same level of protection as if it had remained in the EU.
Max Schrems, a privacy activist, made a complaint to the Data Protection Commissioner (DPC) in Ireland alleging that US intelligence agencies had unrestricted access to EU personal data being gathered by Facebook, which was being transferred from the EU to the US under Safe Harbour. The DPC said it did not have jurisdiction to examine the adequacy of Safe Harbour, so Schrems brought a Judicial Review case on the decision to the Irish High Court, who referred it to the CJEU for clarification.
Findings of the CJEU
The CJEU found that the Safe Harbour scheme under European law is invalid. They stated that legislation which allows public authorities unrestricted access to personal data and does not provide a method for an individual to access, or have erased such data is contrary to certain provisions of the Charter of Fundamental Rights of the European Union.
Furthermore the CJEU stated that data protection authorities in each European Union Member State should examine the complaints of its citizens regarding the adequacy of third country data protection policies regardless of any previous decision of the European Commission relating to the third country. On this basis the CJEU directed that the DPC should examine Schrems’ complaint to decide whether the transfer of EU Facebook users’ data to the US is protected to an adequate standard and, if not, whether such transfer should be suspended.
It is now necessary for any of the approx. 4,400 companies that were relying on Safe Harbour to implement acceptable data protection measures to ensure that the transfer of data to the US complies with EU law. The following are alternative lawful methods for the transfer of personal data to third countries:-
- Data subject consent – the consent has to be unambiguous. Unlikely to be a real solution, particularly when dealing with a high volume of data subjects. The DPC has advised against this method.
- Model contracts – European Commission approved contracts that bind the non-EU party to process the data on terms mirroring EU data protection legislation. Currently used by many entities transferring to non-approved third countries. There are two forms – “controller to controller” and “controller to processor”.
- Binding corporate rules – used for intra-group situations where data is transferred between EU and non-EU group entities. A legally enforceable data protection policy is drafted and approved by the data protection commissioner in the relevant member state.
- Transfer data only to approved countries – countries which are considered to have adequate data protection laws in place are Switzerland, Guernsey, Argentina, Isle of Man, Faroe Islands, Jersey, Andorra, Israel, New Zealand and Uruguay; Canada has been approved for certain types of personal data.
Your Next Steps
If you are an Irish company sending personal data to the US:-
- Review any data processing/controller contracts your company has with US entities.
- Check if the transfer was relying on Safe Harbour (review the Safe Harbour listing at https://safeharbor.export.gov/list.aspx).
- Await direction to be issued by the various data protection commissioners within the coming weeks.
- Arrange for alternative legal methods of transfer to be put in place if necessary.
CJEU decision that Safe Harbour is invalid.
What are the alternatives methods to transfer personal data to the US/third countries?
Assess your company’s position.