EU to US Data Transfers

Challenge

In 2013, Edward Snowden, a whistleblower, leaked details about a surveillance scheme called Prism which was operated by the American National Security Agency. The agency had supposedly gained access to data concerning Europeans, stored by American firms. It was suggested that these activities were covered by the Agreement. Mr Max Schrems, a privacy campaigner, questioned and contested these activities. The matter was later referred to the European Court of Justice in the case of Maximillian Schrems v Data Protection Commissioner [2015].

The Ruling of Maximillian Schrems v Data Protection Commissioner [2015]

The Agreement was ruled ‘invalid’ on 6th October 2015.

It was ruled that personal data should not be transferred to American firms on the sole basis that the firms were Safe Harbour-certified. In order for American firms to now export data, firms involved may have to sign ‘model contract clauses’. These clauses set out the American organisation’s privacy obligations which will ensure that the organisation has put in place ‘adequate safeguards for the rights and freedoms of data subjects’ pursuant to paragraph 9, Schedule 4, the Data Protection Act 1998 (‘DPA’).

The impact

The ruling affects the likes of social media sites and all companies which transfer data to servers based in America. Individual countries’ data regulators can now challenge transfers of data from Europe to America. Countries making use of cloud services will need to ensure that their actions are EU DPA compliant.

Should you have any questions about the above case, please contact John North, Claus Andersen or Tony Roberts.