OIC response to ECJ ruling on personal data to US – Safe harbour
13 October 2015
On 6th October 2015 the Court of Justice of the European Union (CJEU) declared the EU/US Safe Harbour scheme invalid. The Safe Harbour scheme was agreed in 2000 by the European Commission and the US Department of Commerce and allowed US companies to comply with the EU Directive 96/46/EC on the protection of personal data. It set out a number of principles regarding the protection of personal data to which US undertakings may voluntarily subscribe and was designed to allow US-based organisations to overcome the restrictions on transfers of personal data from the EU. It has proved a central means by which data has been transferred to the US from EU and other jurisdictions that have enacted similar legislation, such as the Channel Islands, and is used by approximately 4500 US companies.
Following a case lodged by an Austrian citizen against the Irish data protection regulator concerning data processed by Facebook, the CJEU announced its ruling.
In a press release, the CJEU has set out a summary of the decision and the full judgment can be found here http://curia.europa.eu/juris/documents.jsf?num=C-362/14
It is important that regulators and legislators provide a considered response and this office will be working with our European colleagues in reviewing the ruling in detail. In the meantime, all local businesses that transfer data to the US will need to do the following –
• Review all data transfers to identity which data, if any, are transferred to the US;
• Where data are transferred to other service providers (processors) the relevant contracts should be reviewed for any reference to the Safe Harbour scheme;
• Where such transfers are carried out in reliance on the Safe Harbour scheme an alternative suitable mechanism should be explored.
Concerns about the Safe Harbour scheme have been raised before; the revelations made in 2013 by Snowdon concerning the activities of the US intelligence services prompted negotiations between the European Commission and the US authorities with a view to introducing a better protective arrangement. These negotiations are well advanced and this recent ruling will no doubt add some further impetus to this work. In addition, the EU is due to implement new legislation to replace the EU Directive which will set new, higher standards of protection for personal data as well as significantly change the territorial scope of the law. Our office will monitor all developments in this area and issue public statements and guidance where appropriate.