15 October 2015

Data protection and data transfer from the EU to US: Safe Harbor agreements ruled invalid

Multinational employers must take note of a ruling from the European Court of Justice (“ECJ”) that will have a significant effect on the legality of passing employees’ personal data to the US.

EU law states that personal data must not be transferred to a country or territory outside the EU unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects. Employers in the EU who transfer employee personal data to the US have for a number of years been able to ensure compliance with EU data protection law provided the US entity signs up to principles broadly matching those under the EU Data Protection Directive. 

This was established by a European Commission ruling in 2000 establishing the so-called “Safe Harbor” agreement. US organisations who signed up to and complied with the agreement were, until now, authorised to accept data transfers from the EU without the need for further approval.

Now a judgment by the ECJ has ruled the Safe Harbor agreement invalid, following a case pursued by an EU citizen Maximillian Schrems who was concerned about Facebook's transfer of his personal data to the US. Against the background of the disclosures by Edward Snowden about US authorities' far-reaching surveillance and use of personal data held by US corporations, the ECJ has found the protections of the Safe Harbor agreement to be inadequate.

For full details of the case please refer to our full article on safe harbor agreements.

What should employers do now?

This ruling has major implications for employers who transfer employees’ personal data from the EU to the US. Such employers should now urgently review their arrangements. To the extent they rely on the Safe Harbor agreement, the legality of their data transfers is now in question.

Other options for ensuring legal data transfers to the US from the EU include:

  • implementing standard contractual provisions between the data controllers / processors authorised by the Information Commissioner to govern the data transfer;
  • where a transfer is carried out by a UK-established company to other members of its group in different jurisdictions, by agreeing legally enforceable rules between those companies, again in a form approved by the Information Commissioner.

However, it is possible that further litigation will undermine the lawfulness of these options as well, given the apparently fundamental concerns held by the ECJ about data privacy in the US. Negotiations for new data protection agreements between the EU and the US are under way but this development can only complicate and delay them. We will keep you posted.

Digital Intelligence

Digital innovation will be a game changer across a wide variety of industries globally. Our Digital Intelligence hub contains a number of resources to help you embrace and face digital disruption head on.

Digital Intelligence

A Guide to Doing Business in China

We explore the key issues being considered by clients looking to unlock investment opportunities in the People’s Republic of China.

Doing Business in China
Share on LinkedIn Share on Facebook Share on Twitter Share on Google+
    You might also be interested in

    This note focuses on consent, and in particular consent requirements as set forth by the GDPR which are numerous.

    01 August 2018

    The European Commission has formally adopted the EU-US Privacy Shield; however will this provide legal certainty for transatlantic data transfers?

    19 July 2016

    European Commission refrains from imposing regulations specifically targeting online platforms, for now. General EU e-commerce rules will however apply.

    20 June 2016

    The European Parliament and the European Council published the new General Data Protection Regulation in the Official Journal of the European Union.

    09 May 2016

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.