A recent decision by the CJEU which declared the US Safe Harbour Scheme to be invalid could have major implications for multinational organisations that transfer personal information from Europe to the US as part of their business.

Facts

European data protection law provides that personal data may not be transferred outside of Europe unless it is given an adequate level of protection. The Safe Harbour Scheme (the "Scheme") was an agreement between the European Commission (the "Commission") and the US government allowing any US entity complying with its principles to be certified and therefore permitting these entities to process personal data which had been transferred from Europe.  Since the Commission validated the Scheme in July 2000 (the "Commission Decision"), many thousands of organisations have come to rely on the Scheme as a means of transferring employee data from the EU to the US. 

Such a decision by the CJEU had been instigated following Edward Snowden's revelations in 2013 concerning the surveillance of data held within the Scheme by the US National Security Agency (NSA). Such revelations led Austrian law student Max Schrems to challenge the protection offered by the Scheme in an action against Facebook. All Facebook subscribers in the EU are required to consent, upon registration, that their personal data may be transferred from Facebook's E.U. headquarters in Ireland to servers in the U.S where it is then processed. Schrems complained to the Irish Data Protection Commissioner (DPC) that in doing this, Facebook was not ensuring adequate protection against the mass surveillance of personal data by US security agencies. The DPC rejected Schrems' argument on the basis of the Commission Decision validating the Scheme. The High Court of Ireland then sought a ruling from the CJEU as to whether the Commission Decision could prevent investigations into complaints that non-member states are not complying with data protection measures and, if required, suspend the transfer of any such data.

The CJEU held that US authorities were able to access transferred personal data for purposes that were incompatible with the purposes for which it was transferred and beyond what is necessary and proportionate to protect national security. The CJEU held that the Commission did not have the authority to restrict national supervisory powers and so ruled the Commission Decision to be invalid.

Practical Implications

As a first step, businesses should carry out a risk assessment of their data processes. In particular they should limit the amount of personal data which is to be transferred and also anonymise this wherever possible.  Companies may wish to restructure how data is transferred between group entities and put in place intra-company agreements. In particular, multinational organisations must be vigilant when transferring data relating to its employees from EU to US HR departments.  

Other means of protecting data outside of the Scheme such as EU Approved Model Clauses and Binding Corporate Rules (BCR) should also be assessed and used with caution as these are likely to be more closely scrutinised following the recent CJEU decision.

It should also be noted that the European Commission and the US government are in negotiations to reform the Safe Harbour Scheme so that it complies with European data protection law. As a first step, the U.S House of Representatives approved the "Judicial Redress Act" last Tuesday making a new Safe Harbour Agreement more likely if passed by the Senate. In the meantime, however, we would not recommend a "wait and see" approach but rather take active steps to safeguard against any challenges employees may bring for non-compliance of data protection regulation. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.