Multinational employers must take note of a ruling from the European Court of Justice (“ECJ”) that will have a significant effect on the legality of passing employees’ personal data to the US.
EU law states that personal data must not be transferred to a country or territory outside the EU unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects. Employers in the EU who transfer employee personal data to the US have for a number of years been able to ensure compliance with EU data protection law provided the US entity signs up to principles broadly matching those under the EU Data Protection Directive.
This was established by a European Commission ruling in 2000 establishing the so-called “Safe Harbor” agreement. US organisations who signed up to and complied with the agreement were, until now, authorised to accept data transfers from the EU without the need for further approval.
Now a judgment by the ECJ has ruled the Safe Harbor agreement invalid, following a case pursued by an EU citizen Maximillian Schrems who was concerned about Facebook's transfer of his personal data to the US. Against the background of the disclosures by Edward Snowden about US authorities' far-reaching surveillance and use of personal data held by US corporations, the ECJ has found the protections of the Safe Harbor agreement to be inadequate.
For full details of the case please refer to our full article on safe harbor agreements.
What should employers do now?
This ruling has major implications for employers who transfer employees’ personal data from the EU to the US. Such employers should now urgently review their arrangements. To the extent they rely on the Safe Harbor agreement, the legality of their data transfers is now in question.
Other options for ensuring legal data transfers to the US from the EU include:
- implementing standard contractual provisions between the data controllers / processors authorised by the Information Commissioner to govern the data transfer;
- where a transfer is carried out by a UK-established company to other members of its group in different jurisdictions, by agreeing legally enforceable rules between those companies, again in a form approved by the Information Commissioner.
However, it is possible that further litigation will undermine the lawfulness of these options as well, given the apparently fundamental concerns held by the ECJ about data privacy in the US. Negotiations for new data protection agreements between the EU and the US are under way but this development can only complicate and delay them. We will keep you posted.