A recent ruling in the Court of Justice of the European Union (CJEU) has had a significant on European data protection law. The CJEU had previously ruled that a framework devised by the US Department of Commerce known as “Safe Harbor” provided adequate protection to EU citizens, and their personal data, for instances when their personal data was being handled outside of the EU (i.e. in the USA).
Until October 2015, a US company would simply have to be a member of Safe Harbor, which would give them a broad stamp of approval to handle personal data of EU citizens. This has now changed; to comply with the existing Safe Harbor framework is no longer sufficient in demonstrating that a US company is complying with EU data protection law.
The case that has forced this change was Maximillian Schrems v Data Protection Commissioner, and it was a case originally brought before the Irish Data Protection Commissioner by an Austrian citizen. The individual, Mr Schrems, alleged that his personal data held by Facebook was not being adequately protected as it was being transferred from Facebook’s subsidiary in Ireland to servers located in the US. Mr Schrems also sought to successfully argue that, in light of the data protection concerns raised by Edward Snowden in 2013 and the increased awareness of the invasive techniques used by the US intelligence services in relation to personal data held in the US, Safe Harbor can no longer provide assurances that data is protected to a standard that an EU citizen would expect. The court also ruled that data protection authorities within EU member states are not prevented from considering complaints from individuals that their data has not been properly protected outside of the EU. The ability to do this was previously prohibited.
The ruling has, at least for the time being, left industries that involve themselves in transatlantic data sharing somewhat shell-shocked. The assurance that meant Safe Harbor was automatically considered to provide the adequate protection under EU law is no longer there, and EU companies must now seek specific assurances from their US counterparts.
For EU or EEA based companies, the CJEU ruling will act as a prompt to review contracts with US based data hosts in order to consider whether additional measures need to be added to these agreements to ensure that they offer greater protection than that offered by Safe Harbor.
This ruling could even have an impact on small (non-international) UK companies, as such companies will often use cloud storage for storing personal data. Providers of cloud storage regularly store the data on a US server because US hosting is cheaper, and they will not always tell the customer they are doing so. So in light of the ruling, it is important that companies using cloud storage pay close attention to where their data is being stored, and under what terms.
Cloud providers themselves will also have to ensure their legal processes are now more watertight. This will include using additional methods recommended by the Information Commissioner’s Office, such as using standard EU contract terms or in the case of a larger, international group of companies, by entering into what is called binding corporate rules between themselves. These will then give the requisite assurances to both the data protection authorities and the data subjects that their data should be safe.
It is most likely that, in the interim at least, EU companies will possibly have to tweak data handling contracts held with US companies on a case-by-case basis, where they feel it is necessary and appropriate as part of protecting the personal data of EU citizens. Further into the future, it is possible that the European Commission will devise a set of standardised terms which could be inserted by EU companies into the contracts that they enter into with US companies in order to offer improved protection.
Beyond this, the most logical long-term solution would be for the EU and US to devise a new transatlantic data-sharing agreement with a stricter set of standards, a ‘Safe Harbor 2.0’ effectively. It may however prove difficult once again to regularise dealings with US companies in this way, as the invasive behaviour of US intelligence services may prove difficult to control.
Should you require any further information, or advice, on this topic, or any assistance in modifying your data sharing and processing contracts, please get in touch.
Brian Miller is a solicitor and partner and Richard Jones a trainee solicitor at Stone King LLP, providing specialist advice in the fields of intellectual property, IT, data protection and commercial law.
Disclaimer: This article may not be reproduced without the prior written permission of the author. This article reflects the current law and practice. It is general in nature, and does not purport in any way to be comprehensive or a substitute for specialist legal advice in individual circumstances.