On 6 October 2015, the European Court of Justice (“CJEU”) declared that the US Safe Harbour scheme for transferring personal data from the EU to the United States is invalid and that national data protection regulators have complete independence from the European Commission to consider the adequacy of schemes for the transfer of personal data to a third country. This is the case even where the European Commission has declared that the third country provides an adequate level of protection for personal data.
Businesses collecting the personal data of EU citizens are required to ensure that such data remains within the European Economic Area, unless it is transferred to a jurisdiction which is considered to provide ‘adequate’ protection. For personal data being transferred to the United States, the European Commission had previously declared the Safe Harbour scheme, whereby US companies must adhere to protective standards, principles and procedures, as ‘adequate’, but this cannot now be relied on.
This decision is of major significance for all those businesses that have relied on the Safe Harbour scheme as a means of transferring personal data to the US, whether these are businesses engaged in processing personal data on behalf of third parties or businesses who engage others to process personal data for them in the US.
Following the decision, businesses should review any personal data transfers that rely upon the scheme and consider alternative methods of ensuring ‘adequate’ protection. Other methods are available including the use of standard model clauses and binding corporate rules, although these can be rather burdensome.
The Information Commissioner has issued a statement recognising that it will take some time for businesses to review current practices and stating that it will be working with other data protection authorities in the EU and issuing further guidance on the options available to businesses in due course. Inevitably there will be a period of uncertainty and it will be interesting to see what impact this decision has on the progression of the long awaited new Data Protection Regulation.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.