As has been widely publicised, the Court of Justice of the European Union has followed the Advocate General’s opinion in the Schrems case and has declared invalid the European Commission’s decision authorising Safe Harbour. This was a case referred from Ireland about Mr Schrems’ objections to Facebook transferring his data to the USA.
Interestingly, in invalidating the decision, the Court said that the Commission had not stated in its decision that the USA ensures an “adequate level of protection by reason of its domestic law or its international commitments”. So we await the outcome of the current renegotiations between the US government and the EU Commission of Safe Harbour. Will this involve the curtailment of the sweeping surveillance powers of the NSA? The CJEU recognised the need for national security but noted that the Commission was of the opinion that these powers went “beyond what is strictly necessary and proportionate to the protection of national security.” Will this see a demand for the introduction of some form of general US data protection legislation? Once the new Safe Harbour is in place, things will go back to normal.
How does this affect data transfers?
In the meantime, how does this declaration of invalidity of Safe Harbour affect data transfers? There are two main options:
- Organisations should keep their (personal) data in the EEA. Or
- Organisations should ensure that they have appropriate safeguards in their contracts with providers based outside the EEA.
Clauses alone are not sufficient
Of course, clauses alone are not sufficient. The data controller customer must ensure the data processing IT provider actually has appropriate data protection processes and systems in place. The UK Information Commissioner recognises that this adjustment to comply with the ruling will take time so, in the absence of data breaches, immediate enforcement against organisations is unlikely.
My recommendation, naturally, is to ensure all contracts contain robust data protection clauses. This is not just true of new contracts – where this case will make it an obvious topic of discussion – but you might need to revisit existing contracts too and adjust them.
UPDATE 12/10/2015: Contact me for a copy of my 8-point guide on what to do about your data transfers now.