The United States as a "Safe Harbor"? That ship has sailed
The EU-US Safe Harbor Framework, used to legitimise transfers of data from the EU to the United States of America (US), was declared invalid by the Court of Justice of the European Union on 6 October 2015. Any business established in the EU that relied on Safe Harbor is now exposed to claims that transfers of data to the US are unlawful.
Following the Edward Snowden revelations highlighting the depths of the US surveillance programmes, an Austrian citizen filed a complaint with the Irish data protection regulator. A key point of the complaint was that the citizen's personal data, when transferred to the US whilst using Facebook, was not being adequately protected as required by European data protection legislation because it was potentially accessible by the US intelligence agencies.
The case, originally filed in 2013, worked its way up to the European level and culminated on 6 October, with the decision publicised with a Court press release stating:
"The access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data."
Press Release, Maximillian Schrems v Data Protection Commissioner C-362/14, 6 October 2015
The US' self-certification scheme had been in place for over fifteen years and, as at the date of the decision, was relied on by 5,479 US businesses; not to mention the many EU businesses contracting with them).
Why does this matter?
This decision is likely to have a significant impact because European data protection legislation requires that the transfer of personal data from Europe, to a business based in the US (or anywhere else outside of the EEA) only takes place if the business receiving that data can prove it offers an adequate level of data protection.
One of the most straightforward ways a US business was able to prove it had sufficient data protection measures in place was to self-certify on the basis of its country's Safe Harbor status. US based businesses are now unable to do this.
Following the decision, any UK based business processing, or using sub-contractors to process personal data in the US, can no longer rely on the Safe Harbor to evidence their compliance with the European data protection requirements.
How do I know if my business is affected?
This decision is likely to impact European businesses if they, or their subcontractors:
- outsource services to the US which involve the processing of data;
- use any form of cloud based system which processes personal data in the US; or
- operate a website which keeps user databases in the US.
How can I protect my business?
Relying on a US business' Safe Harbor status has previously been a highly convenient way of complying with data protection requirements, and many UK and European organisations made use of this. The Safe Harbor exemption, however, has never been the only way to evidence compliance with data protection legislation.
In the absence of the safe harbour, compliance can be secured by, for example, carrying out an independent assessment of a US business' data protection measures, implementing the EU-approved "Model Contract Clauses" or taking advantage of any other available exemption under the data protection legislation, such as establishing an approved set of binding corporate rules.
In the UK at least, the regulator has recognised the significance of this decision and that it may take "some time" for businesses to ensure they are compliant with data protection legislation. In almost every case though, a sensible first step if you may have been affected by this decision is to contact your suppliers and ask how they intend to remain compliant and then ensure that the appropriate measures are put in place.
At any rate, if there has ever been a time to review your data protection clauses, it is now!