Data Protection US Safe Harbor scheme held invalid
On 6th October 2015 the European Court of Justice (ECJ) handed down its ruling in the case of Maximilian Schrems v Data Protection Commissioner. The ECJ found that the US Safe Harbor scheme, which has been in place since 2000, is invalid. This means that, technically, many data transfers to the USA are now, and have been, illegal. In theory we could see people complaining to the relevant national data protection authorities and claims being made against companies that transfer personal data to the USA.
Mr Schrems was objecting to the Irish Data Protection Commissioner about the transfer of his Facebook data to US servers, in the light of the revelations by Edward Snowden in 2013 concerning the activities of the US intelligence services. The main reasoning for the decision is that the US public authorities are not restricted by the Safe Harbor scheme and so have unfettered access to all personal data transferred to the USA, which compromises the fundamental human right to respect for private life. It’s not clear what Mr Schrems will get as a result of the judgment, apart from publicity and the satisfaction of having overturned a scheme that has been used by thousands of companies, but the issue is still the subject of litigation before the High Court of Ireland (where Facebook and many other international companies process their personal data).
The UK Information Commissioner’s Office (ICO) has issued a statement in which it said that this does not mean that there is an increase in the threat to people’s personal data, that there are other options apart from reliance on the Safe Harbor, and that businesses that use Safe Harbor should review how they ensure that data transferred to the US is transferred in line with the law.
In a sense this is a political case, and arises against the background of continuing EU-US discussions, but at the moment companies it seems cannot safely make any data transfers from EU countries to the USA. Other processes do exist in addition to the Safe Harbor, such as Binding Corporate Rules and Model Contract clauses, but these mechanisms are expensive and time consuming to put in place. And in any event they would not seem to overcome the main point of the ECJ decision, in that no personal data transferred to the USA can now be said with any certainty to be secure if it is subject to “access on a generalised basis by the US authorities” (to quote the words of the ECJ).
The ICO says it will be working with its European colleagues to produce guidance following the ECJ ruling, which will be eagerly awaited.