Transferring data to the US: no “safe harbour”
Austrian law student, Max Schrems, had used Facebook since 2008. As is the case for all Facebook users in the EU, the data he provided through Facebook was transferred from Facebook’s Irish subsidiary to the United States, where it was processed. Following Edward Snowden’s revelations in 2013, Mr Schrems was concerned that the US could not ensure adequate protection of his data against surveillance by US public authorities. He asked the Irish Data Protection Commissioner (DPC) to prevent Facebook in Ireland from transferring his data to the US.
The DPC however took the view that the transfer of Mr Schrems’ data to US was covered by something called the "safe harbour agreement", so no further action was needed. Mr Schrems’ challenged the DPC’s decision and the case has proceeded to the European Court of Justice.
What is the "safe harbour agreement"?
Data Protection law provides that the transfer of personal data to a third country can only take place if that third country ensures an adequate level of data protection. The "safe harbour agreement" was an agreement between the EC and the US government that promised to protect EU citizens’ data that was transferred to the US. It allowed companies such as Facebook to transfer an individual’s data to the US.
The ECJ decision
The ECJ has now ruled that an individual’s personal data should no longer be transferred to companies in the US solely on the basis that they are safe harbour-certified. The safe harbour agreement that allows the transfer of European citizens’ data to the US is no longer valid.
What does this decision mean for your business?
For 15 years, businesses who transfer data to the US have relied on the safe harbour regime and will now need to consider alternative ways of covering data transfers to the US.
This may mean:
- getting the express consent of your staff to transfer their personal data
- updating your employment contracts and policies to deal with data protection outside of the EU
- having a written agreement with the company in the US you’re transferring the data to.