On 6 October 2015, the Court of Justice of the European Union handed down its preliminary ruling in the case of Maximillian Schrems v Data Protection Commissioner Case C–362/14 throwing the legality of transferring data from within the European Economic Area to companies based in the USA into question.

Since 2000, thousands of European companies have been involved in the transfer of data to companies in the USA under the provisions of the Safe Harbor framework.  In 2000, the European Commission (in EC Decision 2000/520/EC) established a framework known as the 'Safe Harbor', whereby American companies could self certify that they had sufficient procedures and protections in place to ensure that any data transferred to them from within the European Economic Area ("EAA") would have the benefit of 'adequate protections' to ensure that there was no breach of the fundamental rights afforded to every EU citizen by The Charter of Fundamental Rights of the EU.

Since the creation of this Safe Harbor framework, companies on both sides of the Atlantic have operated on the basis that if the recipient of the data in America has signed up to the Safe Harbor principles, there is an automatic assumption that 'adequate protections' are in place.  National Supervisory Bodies such as the Data Protection Commissioner in Ireland and the Information Commissioner's Office in the UK ("ICO") were bound by the European Commission Decision and could not investigate a claim by a data subject that their personal data was not being adequately protected when transferred to a Safe Harbor company in the US.

Following revelations by Edward Snowden in 2013 as to the scale and extent of surveillance and interception of personal data by the US National Security Agency, Austrian student Maximillian Schrems lodged a complaint with the Data Protection Commissioner in Ireland ("DPC") against Facebook arguing that the transfer of his personal data by Facebook Ireland to Facebook Inc in the US under the Safe Harbor framework constituted a breach of his fundamental rights as an EU citizen to 'respect for private life' and 'the right to protection of personal data' (as enshrined in Articles 7 and 8 respectively of the Charter of Fundamental Rights) because it was clear from the information made public by Mr Snowden, that 'adequate protections' were not in place.

The DPC in the first instance relied on EC Decision 2000/520 and rejected Mr Schrems' complaint on the basis that the transfer fell within the Safe Harbor framework and that as a National Supervisory Body it did not have the jurisdiction to challenge that decision.  Mr Schrems appealed the DPC's decision and the Irish High Court referred the question to the Court of Justice of the European Union ("CJEU").  On 6 October 2015, the CJEU handed down its preliminary ruling finding that EC Decision 2000/520 was invalid and as a result, that all transfers of data to the USA under the Safe Harbor framework are now at risk of challenge as being in breach of the Data Protection Directive.

So what does the decision mean for European Data Controllers?

The potential impact of this decision is extremely far reaching.  Negotiations between the European Commission and US authorities seeking to agree amendments to the existing Safe Harbor framework commenced some time before the decision in this case, but have so far been without success.  It is hoped that now they are faced with the prospect that US companies may soon be unable to provide data related services to the EU market, the US Government may be more open to reform than it has previously been.  However, even if an acceptable new framework can be agreed, it will require changes to be made to US law and, as with any legislative process, this won't happen overnight.

National Supervisory Bodies such as the ICO will now have the power to consider and investigate complaints from individuals that their personal data has been transferred to America without adequate protection in breach of their fundamental rights.  In any such a complaint, it will be the European transferor of data and not the foreign recipient that is potentially liable, so it is important that companies review their processes and consider what happens to any personal data that they collect.

There are temporary solutions to the problem available in the form of EC prescribed 'Standard Contractual Clauses' and 'Binding Corporate Rules'.  The Standard Contractual Clauses can be incorporated into contracts between EU data controllers and US based data processors and assuming they are complied with, there will be a presumption that 'adequate protections' are in place to justify the transfer of data outside the EAA.  Similarly, the Binding Corporate Rules can be adopted by US based data controllers and an EU transferor of data will be entitled to rely on the adoption of the Binding Corporate Rules as evidence that 'adequate protections' are in place.  However, these alternatives are now vulnerable to challenge on similar grounds to the Safe Harbor framework because ultimately under US law, regardless of which EC framework is used, US recipients of data remain under a legal obligation to allow US public authorities access to that data in ways that extend far beyond what is acceptable within the EEA.

The ICO has urged UK companies not to panic, but to take stock of their arrangements and to consider carefully what protections are in place if they are transferring data outside the EAA.  We have seen some immediate reactions from some large American data companies seeking to incorporate the alternative frameworks mentioned above into their contracts with European clients, but for the reasons already mentioned, these alternatives are likely to only offer temporary protection.

Certain global businesses such as Facebook, Salesforce and NetSuite have pre-empted the decision in the Schrems case and are in the process of or have already established data centres in Europe to avoid transferring data to the USA altogether.  This is certainly an effective long term solution for US based companies, but it won't be a viable option for all.

The ICO has stated that it will provide practical advice for businesses once the dust has settled as to what they should and should not be doing during this period of uncertainty.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.