Monday 23rd December 2024
Twitter Facebook Twitter LinkedIn RSS

Comsure operates in:the UK, Jersey, Guernsey

Ground-breaking European Court decision: US Safe Harbour declared invalid

The US Safe Harbour framework has, for the last 15 years, provided a mechanism by which European businesses can validly transfer personal data (including employee data) from the EU to the US.   In a ground-breaking decision this week,  the European Court of Justice has declared the Safe Harbour scheme invalid.   This decision will have a significant and immediate impact for any business relying on Safe Harbour to enable data transfers to the US and will require a change in approach to cross-border data transfers.

Ground-breaking European Court Decision – US Safe Harbour declared invalid

Employment 7 October 2015

In a ground-breaking Decision on 6 October 2015 the Court of Justice of the European Union (CJEU) declared the US Safe Harbour scheme to be invalid, as well as confirming that individuals have the right to challenge any similar schemes that may be established by the European Commission through their national data protection authorities.

This summary by Andrew Dyson and Patrick van Eecke in our Data Privacy team provides more details. More information on the implications for employment data will follow shortly.

The US Safe Harbour framework was established 15 years ago to provide a mechanism by which European businesses could validly transfer personal data from the EU to the US. The framework has been widely adopted, with over 5000 companies currently using the scheme to support the free flow of data across the Atlantic. It is commonly adopted to support data transfers needed to support intra-group operations (for example to assist a US parent in managing EU based activities) and outsourced services involving a US cloud or software-as-a-service (SAAS) provider.

The Decision of CJEU will have a significant and immediate impact for any business relying on Safe Harbour to enable these operations to date and will require a change in approach to cross-border data transfers.

Impact for businesses

We expect it will take time for the full practical implications of the decision to flow down and take effect, with national data protection authorities likely to develop their own interpretation and positions.  What is clear, however, is that Safe Harbour as it stands at the moment is not valid.

The decision will have an immediate impact on any organization currently relying on Safe Harbour as a basis for transferring data to the US, either intra-group or through their supply chain. Subject to any guidance issued by local supervisory authorities (see below), these arrangements are now likely to be invalid. To understand the risks and plan effectively, organizations should quickly identify any arrangements they rely on that are underpinned by Safe Harbour. A strategy can then be adopted to consider alternative arrangements to authorize continuing data transfers to the US. In many cases this may involve adoption of EC approved standard contractual clauses.

In the medium term, we expect to see a more fragmented approach from the 28 national supervisory authorities to future decision making around transfers of data to the US . This is likely to create greater uncertainty for any multinational business operating within Europe as regulators may feel empowered by the decision to make independent assessments on adequacy for any alternative arrangements organizations may be considering instead of Safe Harbour – potentially replaying concerns noted in the court decision about the wide scope of the Patriot Act as a basis for undermining the viability of other well established transfer routes such as the EC model clauses.

A more fragmented regulatory approach on cross-border issues at a time when legislators are trying their best to support a more integrated global information society will be unwelcome, adding significant cost and regulatory burden to organizations who may feel exposed and vulnerable to challenges from changing political landscapes.

If a European national supervisory authority has the power to investigate and suspend the transfer of the personal data in question to the US, irrespective of Safe Harbour , this will create a new and substantial obstacle for any US business looking to establish as a ‘data importing’ business model in the EU market. This could lead to a position where US companies will need establish separate consent arrangements to data sharing which may put them at a major disadvantage when building a consumer facing business model in comparison with EU based companies.

Although these other legal avenues exist for sharing personal data between EU companies and citizens and US companies, these solutions are often onerous and difficult to implement on a global scale. Safe Harbour functions as a kind of ‘one stop shop’, a practical solution to allow data transfers from the EU to a trusted business partner in the US – Europe risks endangering this important relationship for transatlantic economic growth.

Over the past two years, the EU Commission has been working and negotiating intensively with US authorities to reach a joint solution for the public concern and distrust generated by the revelations based on leaked documents from Edward Snowden back in June 2013 (which confirmed that US authorities can have access on a mass basis to personal data of individuals living in the EU). The two sides of the Atlantic are almost at the end of this extensive negotiating period but the Decision of the CJEU halts momentum to reach a safe solution and risks a swift return to square one.

More broadly, the Decision of the CJEU does not only have an impact on Safe Harbour but potentially opens the scope for national authorities to challenge other Decisions of the European Commission (such as, for instance, the standard contractual clauses for controller-controller or controller-processor data transfers).

http://bit.ly/1jSCZxl


1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

WP2Social Auto Publish Powered By : XYZScripts.com