The European Court of Justice (ECJ) has ruled that the “Safe Harbor” agreement, which sets out a framework of data protection standards which allows the free flow of personal data from the EU to US organisations which have joined the scheme is invalid.
The Safe Harbor agreement has been in place since 2000 between the EU and US for the purposes of private data on users being transferred between the two regions. There are different rules in the EU and US in relation to data privacy but the agreement acts as a harmonisation tool which allows for a smooth transfer without worrying about different legal frameworks. Safe Harbor was originally signed to reduce the administrative burden of complying with the EU’s Data Protection Directive 95/46/EC and to ensure that data flows from Europe uninterrupted. This smooth transfer has been threatened by the recent ECJ decision.
The case was bought by the Austrian law student Max Schrems against Facebook in Ireland claiming that his privacy had been violated by the US government in form of the NSA’s mass surveillance programs. Originally Ireland’s data regulator rejected the case because of a decision of the EU Commission in 2000 which considered that, under the Safe Harbor agreement, the US ensures an adequate level of protection of the personal data transferred. Schrems appealed and the ECJ held that the Safe Harbor agreement is invalid, plunging many tech companies into legal uncertainty.
The full impact of the ruling is not quite clear yet, but it has already created significant uncertainty for organisations that rely on Safe Harbor either for their own, internal data transfers, or because they use a service provider which, in turn, relies on Safe Harbor to provide adequacy for its transfers to the US. The decision appears to leave small companies with few legal resources especially vulnerable, as it is so broad that any mechanism used to transfer data across to the US could be under threat. Big tech companies such as Google and the like can afford to house data in Europe, but small start up tech companies might not be so fortunate. It is not just tech organisations that should be concerned by the ECJ’s decision, as it also applies to companies that have employees in more than one of the two regions and need to transfer information for example as regards employee benefits.
Companies may opt to seek consent directly from the user. However, this does not come without any difficulties as consent has to be explicit and freely given, which can be challenging, especially in relation to employment matters. Tech companies operating in both the US and the EU may have to consider storing the data of EU customers within the EU, however this could be difficult and costly for smaller companies without existing resources to do so.
It is clear from the ECJ’s ruling that a much more diligent regime for compliance will need to be put in place for data transfer, and time will tell when we see what response there is going to be from those who process data and the EU and US regulators’ alternative approach.
This is not intended to be a definitive statement of the law. For advice on these and other related issues under English law please contact Jane Laidler at GRM Law in London at firstname.lastname@example.org or at email@example.com