A recent ruling in the Court of Justice of the European
Union (CJEU) has had a significant on European data protection law. The CJEU
had previously ruled that a framework devised by the US Department of Commerce
known as “Safe Harbor” provided adequate protection to EU citizens, and their
personal data, for instances when their personal data was being handled outside
of the EU (i.e. in the USA).
Until October 2015, a US company would simply have to be a
member of Safe Harbor, which would give them a broad stamp of approval to
handle personal data of EU citizens. This has now changed; to comply with the
existing Safe Harbor framework is no longer sufficient in demonstrating that a
US company is complying with EU data protection law.
The Case
The case that has forced this change was Maximillian Schrems v Data Protection
Commissioner, and it was a case originally brought before the Irish Data
Protection Commissioner by an Austrian citizen. The individual, Mr Schrems, alleged
that his personal data held by Facebook was not being adequately protected as
it was being transferred from Facebook’s subsidiary in Ireland to servers
located in the US. Mr Schrems also sought to successfully argue that, in light
of the data protection concerns raised by Edward Snowden in 2013 and the
increased awareness of the invasive techniques used by the US intelligence
services in relation to personal data held in the US, Safe Harbor can no longer
provide assurances that data is protected to a standard that an EU citizen
would expect. The court also ruled that data protection authorities within EU
member states are not prevented from considering complaints from individuals
that their data has not been properly protected outside of the EU. The ability
to do this was previously prohibited.
The implications
The ruling has, at least for the time being, left industries
that involve themselves in transatlantic data sharing somewhat shell-shocked.
The assurance that meant Safe Harbor was automatically considered to provide
the adequate protection under EU law is no longer there, and EU companies must
now seek specific assurances from their US counterparts.
For EU or EEA based companies, the CJEU ruling will act as a
prompt to review contracts with US based data hosts in order to consider
whether additional measures need to be added to these agreements to ensure that
they offer greater protection than that offered by Safe Harbor.
This ruling could even have an impact on small (non-international)
UK companies, as such companies will often use cloud storage for storing
personal data. Providers of cloud storage regularly store the data on a US
server because US hosting is cheaper, and they will not always tell the
customer they are doing so. So in light of the ruling, it is important that
companies using cloud storage pay close attention to where their data is being
stored, and under what terms.
Cloud providers themselves will also have to ensure their
legal processes are now more watertight.
This will include using additional methods recommended by the Information
Commissioner’s Office, such as using standard EU contract terms or in the case
of a larger, international group of companies,
by entering into what is called binding corporate rules between themselves.
These will then give the requisite assurances to both the data protection
authorities and the data subjects that their data should be safe.
The future
It is most likely that, in the interim at least, EU
companies will possibly have to tweak data handling contracts held with US
companies on a case-by-case basis, where they feel it is necessary and
appropriate as part of protecting the personal data of EU citizens. Further
into the future, it is possible that the European Commission will devise a set
of standardised terms which could be inserted by EU companies into the
contracts that they enter into with US companies in order to offer improved
protection.
Beyond this, the most logical long-term solution would be
for the EU and US to devise a new transatlantic data-sharing agreement with a
stricter set of standards, a ‘Safe Harbor
2.0’ effectively. It may however prove difficult once again to regularise dealings
with US companies in this way, as the invasive behaviour of US intelligence
services may prove difficult to control.
Should you require any further information, or advice, on
this topic, or any assistance in modifying your data sharing and processing
contracts, please get in touch.
Brian
Miller is a solicitor and partner and Richard
Jones a trainee solicitor at Stone King LLP, providing specialist advice in the fields of
intellectual property, IT, data protection and commercial law.
Disclaimer: This article may not be
reproduced without the prior written permission of the author. This article reflects
the current law and practice. It is general in nature, and does not purport in
any way to be comprehensive or a substitute for specialist legal advice in
individual circumstances.