Under EU data protection laws, the transfer of personal data to outside of the European Economic Area (EEA) is forbidden unless it is transferred to a country which is deemed to have adequate data protection safeguards.
One of the adequate safeguards – the Safe Harbour agreement – was entered into between the EU and the US to allow US companies to self-certify that they would protect EU citizens’ data when transferred to the US. EU companies could rely on to satisfy EU data protection laws and transfer data to the US.
However, the Safe Harbour agreement was ruled to be invalid following the case of Schrems. In this case an individual made a complaint to the Irish data protection authority in relation to Facebook, which relied on Safe Harbour to transfer data to the US. He argued that, in light of the revelations made in 2013 by Edward Snowden concerning the activities of the US intelligence services, the law and practices of the US offer no real protection against surveillance by the US of data transferred from the EU.
So, for now, companies must rely on the other ‘adequate safeguards’ which allow data to be transferred outside the EEA, such as the binding corporate rules, model contract clauses or other contractual arrangements.
The new Safe Harbour 2.0 agreement (called the EU-US Privacy Shield), which may come into force this month, will again allow companies to rely on an EU-US agreement to transfer data to the US. However, there has been some suggestion that the new agreement may also not be adequate and so could be open to challenge in the courts in the same way as the original Safe Harbour agreement was.
So we’re going to sit here and watch the news roll in to see whether changes are made to the Safe Harbour 2.0 agreement in light of the criticism or whether there will be choppy waters ahead and uncertainty about how safe Safe Harbour really is.
In the meantime you’ll need to put other measures in place, urgently if you haven’t done so already, to allow the transfer of personal data to the US and it may be advisable to continue to rely on them even once Safe Harbour 2.0 is agreed rather than being ‘left up a creek without a paddle’ in the future.
The use of other measures is particularly relevant following the news of Brexit, which leaves the future status of the UK’s inclusion in the EEA unclear. Once the UK leaves the EU, UK companies (who will still be subject to the Data Protection Act which also has requirements regarding transferring data outside the EEA) would not be able to rely on even a ‘valid’ Safe Harbour scheme to transfer data to the US. Also, if the UK is not a member of the EEA, companies within the EU will not automatically be able to transfer data to the UK! However, it would appear likely that the UK will enter into agreements with the US and EU to allow such transfers.
So as you can see the tide is very changeable. Therefore, its important to keep afloat and stay up to date with the developments.
NOTE: Following the invalidation of Safe Harbour, Facebook now relies on the model contract clauses to transfer individual’s personal data to the US. However, Schrems has bought a further case arguing that the shift in the legal basis for the transfer (i.e. from Safe Harbour to the model contract clauses) does not remedy the fact that data transferred to the US is still subject to US mass surveillance laws and programs. So watch this space!