Transfer of Personal Data to the US under Safe Harbour is no longer ‘safe’

For over 15 years UK employers have been transferring personal data to US companies signed up to the ‘Safe Harbour’ framework (‘Safe Harbour’) secure in the knowledge that thanks to a European Court of Justice (ECJ) ruling on 26 July 2000 they would not be in breach of UK data protection laws in doing so.  No more!  Thanks to an ECJ ruling on 6 October 2015 the Commission Decision which permitted transfers under Safe Harbour is invalid.

If you are a UK organisation transferring employees’ personal data to the US for example:

  • to discuss HR issues with a US parent company;
  • to progress immigration applications;
  • for recruitment purposes;
  • to secure internal transfers;
  • to US based providers of cloud computing services; or indeed
  • for any other reason

This decision will have serious implications.

Background

The EU Data Protection Directive which forms the basis of UK data protection legislation, prohibits the transfer of personal data from an EU Country to a non EU country unless that receiving country ensures an ‘adequate’ level of protection for that personal data.   For example a level of protection equivalent to that afforded under UK law.  The Directive empowers the European Commission to certify countries as affording appropriate protection, and in July 2000 a Commission Decision established that the data protection principles known as Safe Harbour (pursuant to which US companies self certify their commitment to a set of data protection principles with enforcement by the Federal Trade Commission) afforded an adequate level of protection.  It has been relied on by vast numbers of European companies ever since.

This recent decision originated from an Irish case involving Facebook.  An Austrian citizen became concerned about the transfer of his personal data from Facebook Ireland Ltd (Facebook’s European subsidiary) to its US parent (Facebook Inc).  He complained to the Irish Data Protection Commissioner (DPC) requesting that the DCP act to prevent Facebook from effecting such transfers.  The DCP rejected the complaint.  Facebook was making the transfers under Safe Harbour and the DCP held that the adequacy of US data protection should be determined in accordance with the Commission’s Decision in July 2000 which had established Safe Harbour as adequate protection.

The Austrian ‘Facebooker’ was not satisfied and following High Court proceedings the matter was referred to the ECJ.  In its judgment the ECJ held that as Safe Harbour only applies to companies which sign up to the scheme and can be overridden by law enforcement agencies, US national security and any in instance which is deemed to be in the public interest (not to mention the fact that it doesn’t apply to US public authorities), this does not afford an adequate level of protection for data transferred to the US.

Implications

The case will return to the Irish Courts to be determined but the decision leaves companies that have been relying on Safe Harbour in difficulties.  Although negotiations have been ongoing between the US and the EU to establish a revised Safe Harbour framework with greater levels of protection, agreement has yet to be reached.  In the meantime the transfer of personal data from the UK to the US may well be unlawful unless other adequate protections are put in place.

If you would like to discuss compliance or the implementation of an International Data Transfer Agreement for your organisation please contact Adele Martins via email to [email protected] or on 020 73176719.