In a dramatic judgement, the European Court of Justice has struck down the Safe Harbour agreement that has allowed companies to transfer data to the US. But while the ruling has potentially serious impact in the long term, marketers don’t need to panic just yet.
While Safe Harbour is now invalid, the ICO has reassured UK businesses that it’s reasonable to give some time to consider other options. In addition, negotiations that could expand to a ‘Safe Harbour 2’ agreement may now accelerate.
The European Court of Justice ruled on 6 October that US companies do, “not afford an adequate level of protection of personal data”, and the so-called Safe Harbour agreement is now invalid. Direct Marketing Solicitor James Milligan explains what Safe Harbour is, why it matters, and what it means for you.
1. What was Safe Harbour?
The EU’s privacy laws are amongst the toughest in the world, and companies are not permitted to send personal data elsewhere.
The EU is also a vast single market, and so highly attractive to non-EU companies. Safe Harbour was the system agreed between the EU and USA that permitted US companies to obtain accreditation that guaranteed data protection equivalent to that found in the European Union.
The European Court of Justice (ECJ) decision now makes this system invalid.
2. What was the decision of the ECJ?
The ECJ made two decisions:
• It invalidated the European Commission’s approval of the Safe Harbour Principles, defined back in 2000, which many organisations use to transfer personal information between Europe and the USA
• It allows national data protection authorities in the Member States to carry out their own investigations into whether a country outside Europe has an equivalent level to the protection of personal information as defined in the 1995 European Data Protection Directive. This even applies if the European Commission has found that a country does indeed provide an adequate level of protection
Only the ECJ, and not a national data protection authority, can declare such a decision by the European Commission invalid.
3. My organisation currently transfers personal information to a USA-based organisation, under the Safe Harbour Principles. What should my organisation do now?
Don’t panic. Data already transferred to US-based companies under Safe Harbour will be unaffected
However, from today, it would be a breach of data protection regulations to do so. But, as the Information Commissioner’s Office (ICO) points out, it’s reasonable to expect that new arrangements may take some time, and give organisations time to find alternative solutions.
Organisations that use the Safe Harbour principles will need to review how they ensure that personal information transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do this.
4. What are the alternative legal grounds for transferring personal information to the USA?
There are two main possibilities:
Model Contract Clauses
There are two versions of Model Contract Clauses produced by the EU for transfers of personal information to countries outside Europe. Read the ICO’s guidance on Model Contract Clauses here:
• Where a data controller in Europe transfers personal information to a data controller in the USA. This could be where a list owner in the EU transfers personal information to US-based company that wants to market to European citizens
• Where a data controller in Europe transfers personal information to a data processor in the USA. This could be where a European based organisation transfers personal information to an email service provider in the US, where the emails are sent from the USA
If you use Model Contract Clauses, you need to make sure that the problems identified by the ECJ are overcome. Notably:
• The Snowden revelations demonstrate a significant overreach on the part of US intelligence services, with large-scale surveillance and intercept. European citizens have no right to challenge US intelligence services who want to access their personal information when held by a US organisation.
• The US organisation the personal information is transferred to is subject to US law. If US intelligence services ask the US organisation for personal information, it has to disclose it. The US organisation cannot challenge the decision and it cannot alert the European based organisation either.
Binding Corporate Rules
This is a procedure where an organisation ensures that its internal policies and procedures ensure any transfers within the group but to another country are protected under the European Directive 1995.
Policies and procedures have to be approved at a European level and the approval process takes some time. It is only really suitable for large organisations.
More information about Binding Corporate Rules can be found here.
Again, organisations will have to ensure that the problems identified by the ECJ with the Safe Harbour principles as discussed above in the section on Model Contract Clauses are overcome.
5. What about the discussions on negotiating a revised set of Safe Harbour Principles?
The European Commission identified in 2013 that there were problems with the existing Safe Harbour Principles, thanks to the Snowden revelations. The EU is already in negotiations with the USA to develop a revised set of Safe Harbour Principles, and the ECJ judgement recognises this.
It will be interesting to see whether the ECJ judgement will speed-up these negotiations.
By James Milligan
Solicitor
DMA