Employee Data Transfers to U.S. - The End of the Safe Harbor Scheme
6 October 2015: The Court of Justice in the European Community (CJEU) has given its judgment in the case brought by Max Schrems concerning the validity of the U.S. Safe Harbor scheme and agreed with the Advocate General's opinion that it does not adequately safeguard E.U. citizens’ personal data.
Facebook’s E.U. subsidiary is based in Ireland and transfers members’ data to the U.S. for storage. An Austrian law student, Max Schrems, brought a claim in the Irish courts arguing that the widespread surveillance by the U.S. intelligence services of individuals’ data, as reported in the global press, and the lack of any U.S. judicial control of that surveillance meant that his personal data was no longer adequately safeguarded under the Safe Harbor Scheme if transferred to the U.S.
In a decision of major importance for E.U. based employers with U.S. operations the CJEU found that:
- The European Commission did not conduct proper investigation when it reached its decision in 2000 that the Safe Harbor scheme in the U.S. offered adequate protection of the personal data of E.U. Citizens transferred there;
- The Safe Harbor scheme is only voluntary and public authorities are not subject to it;
- U.S. national security, public and law enforcement interests all prevail over the Safe Harbor scheme so that any U.S. company who had adopted the scheme’s provisions would nonetheless be legally bound to disregard the protections it offers to individuals’ data and to make this available to public authorities on demand;
- This generalised power to demand data is contrary to the fundamental right to respect for private life set out in the E.U. Charter of Fundamental Rights;
- The lack of any remedy under U.S. law by which a data subject could challenge such a demand means that the Safe Harbor scheme does not offer adequate protection to E.U. citizens' personal data.
What are the Implications of this Decision?
This is a far reaching decision in that it would appear to mean that no data transfer to the U.S. from an E.U. state will be lawful so long as U.S. law remains as it is.
As previously reported, there are a number of alternative ways to transfer data outside of the European Economic Area (EEA), including:
- Binding corporate rules used within multinational companies, required to be approved by the data protection authority in each EU Member State, regulating the ways in which personal data is transferred within the group;
- Model agreements, as provided by the Data Protection Directive, approved by the UK Information Commissioner (ICO) and the E.U. Commission.
With both options, however, if these were now to be implemented between an E.U. based company to cover transfer, for example, to a U.S. based parent company, it would seem inevitable that they could be subject to the same challenge - that U.S. law permitting generalised data surveillance without any judicial remedy for the individual means personal data is not adequately protected.
Transfer of personal data outside of the EEA can be justified by obtaining consent, however this option should be used with caution. In the employment context the Data Protection Directive defines consent as “any freely given specific and informed indication” of wishes and the ICO has previously indicated that any consent given by an employee is unlikely to be freely given in practice.
The E.U. Commission has for some time been in negotiations with the U.S. Government over revisions to the Safe Harbour Scheme following the disclosures made by Edward Snowden concerning U.S. intelligence services’ surveillance practices. However, these discussions have not been concluded. The E.U. Commission has already acknowledged in a press release following the judgment the importance of maintaining data flows between the E.U. and the U.S., calling them the “backbone of our economy” and has confirmed that it will seek to bring these negotiations to a conclusion.
How Should My Business React?
This judgment does not specifically require any immediate action by E.U. companies and the E.U. Commission have stressed that they will be working with national data protection authorities to agree a coordinated response on alternative means of data transfer. In a press release the ICO confirmed:
“The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the U.S. is transferred in line with the law. We recognise that it will take them some time to do this.”
It is therefore unlikely that any punitive action will be taken proactively by the ICO though this would not prevent claims being brought by individuals who object to their personal data being transferred to the U.S.
The practical effect of this decision is likely to provoke much comment and guidance as to how businesses should proceed. All the signs show that efforts will be made to find a way for the transatlantic flow of data to continue but with protections the CJEU found necessary following this decision. For the moment the position is clear, employee data cannot lawfully be transferred to the U.S. and E.U. based companies that up until now have been doing so will at the very least have to commence a review of current data transfer systems to determine how the protections perceived to be lacking in the Safe Harbor scheme can be restored.
We will continue to report on developments as they arise.
How Can we Help?
We can assist with various aspects including:
- Audit of current data transfer processes;
- Consultation on available options;
- Drafting of internal legal agreement;
- Review of policies.
Call us to discuss your options in minimising your risks when transferring data to the U.S. on +44(0)203 051 5711 or at firstname.lastname@example.org.
Previous Information Relating to the Safe Harbor Scheme
Content is for general information purposes only. The information provided is not intended to be comprehensive and it does not constitute or contain legal or other advice. If you require assistance in relation to any issue please seek specific advice relevant to your particular circumstances. In particular, no responsibility shall be accepted by the authors or by Abbiss Cadres LLP for any losses occasioned by reliance on any content appearing on or accessible from this article. For further legal information click here.
Circular 230 disclosure
To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this article (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.