Safe Harbor: a safe harbour no more?

It has been a long-established EU data protection law that personal data can only be sent outside of the EU if one of various tests is passed. For transfers to the United States, the key decision of the EU Commission was that where US companies signed up to the “Safe Harbor” scheme – which essentially self-certifies that they meet certain minimum standards of data security – European entities could safely transfer personal data to them.

Mr Schrems, a Facebook user, understood that data that he put onto his Facebook page, which was operated via Facebook’s Irish subsidiary, would be transferred to servers in the United States for processing.  Based on his understanding of the disclosures of American Privacy Activist and whistle-blower, Edward Snowden, he was concerned that the US’s National Security Agency (NSA) engaged in various practices which made the holding of data, even by companies signed up to Safe Harbor, unsafe, and he complained to the Irish data protection commissioner.

The Irish commissioner took the view that if the Safe Harbor scheme was approved by the EU Commission, there was nothing the commissioner could do.  Schrems continued to complain which resulted in the European Court of Justice today making a wide-ranging ruling, which in particular decided the following:

  • The fact that the EU Commission had approved Safe Harbor did not mean that a national commissioner could not look into issues relating to an individual’s data protection rights.
  • The Safe Harbor scheme enabled ‘interference, by United States public authorities, with the fundamental rights of persons‘  and this ‘must be regarded as compromising the essence of the fundamental right to respect for private life’.

As a result, the Court has found that the EU Commission’s finding that the Safe Harbor scheme allowed data transfers to the US was invalid. Consequently, the Irish commissioner is now required to examine Schrems’ complaint and ultimately determine if all transfers of personal data by Facebook Ireland to Facebook US should be suspended.

If, as we expect, the Irish commissioner finds against Facebook, European companies will need to consider the other options when transferring personal data. For example, can they get express consent to the transfer? This will be difficult, when often the company involved doesn’t know exactly what it plans to do with data it collects. Alternatively, the company will need to put in place multiple ‘model clause’ contracts between itself and the US data importer. This too is now open to challenge, as the US importer cannot say with enough certainty that the NSA will not access the personal data and thus interfere with the fundamental rights of the person.

In a fully connected world, the movement of personal data from the EU to the US has suddenly hit a potentially very big bump, causing businesses involved to reconsider what they are doing, why, how and where.