How Safe is 'Safe-Harbour'?

On 6 October, the Court of Justice of the European Union (CJEU) issued its decision that has far reaching implications on businesses that transfer personal data to the United States. It held that the European Commission’s decision on 26 July 2000 that personal data can be transferred to the United States where organisations sign up to the ‘Safe-Harbour’ data protection principles, was invalid.

Facts

The EU Data Protection Directive (No.95/46) prohibits the transfer of personal data outside the EU unless those jurisdictions adequately protect the data. Where US companies adhere to the ‘Safe-Harbour’ framework, such data has been allowed to be transferred to the Untied States.

Maximillian Schrems, an Austrian Citizen, complained to the Irish Data Protection Commissioner that the personal data on his Facebook account should not be transferred from Facebook’s Irish subsidiary to its parent company in the United States, Facebook Inc. Needless to say, in view of the decision in 2000, the Irish Data Protection Commissioner rejected his request. An appeal followed, which saw the issue referred to the CJEU.

The CJEU noted that the Safe Harbour principles contained in the European Commission’s Decision in 2000:

  • are self-certified, so only apply to US companies that sign up to the principles;
  • do not apply to the United State’s public authorities; and
  • can be overridden by law enforcement requirements, public interest and for national security.

As such, the CJEU concluded that this did not provide an adequate level of protection for personal data transferred to the United States and, as such, the ‘Safe-Harbour’ decision in 2000 was invalid.

What does this mean for you?

The decision should make you consider what personal data you hold and where it is sent. If it goes outside the EU, does that jurisdiction provide adequate protection?

If you have a US company in your group, does information, such as the personal data of your staff, get sent to it? Do you use software provided by US companies, such as; cloud computing, HR software, sales databases? If so, you will need to carefully consider what information is sent to the United States and how you transfer any personal data to ensure you comply with local Data Protection principles.

Click here to read the CJEU’s decision.

Click here to see the UK’s Data Protection principles.

If you have any queries in relation to this or any other employment related matter, you should contact Matthew Kilgannon on 01483 411 517 or m.kilgannon@downslaw.co.uk or your normal contact in the employment team

We are Downs

Find an office Make an enquiry
Complaints ProcedureContact usSitemap

Cobham Office

15A High Street
Cobham
Surrey
KT11 3DH

T: 01932 589599
F: 01932 505087

SRA: 631669.

Dorking Office

156 High Street
Dorking
Surrey
RH4 1BQ

T: 01306 880110
F: 01306 471230

SRA: 446286

Godalming Office

The Tanners
75 Meadrow
Godalming
Surrey
GU7 3HS

T: 01483 861848
F: 01483 431965

SRA: 446294

 Downs Solicitors LLP is a limited liability partnership registered in England and Wales, registered number is OC 321831
Registered office: 156 High Street, Dorking, Surrey, RH4 1BQ. VAT number: GB 209927442

A list of members names is available for inspection at the above address
Authorised and reguated by the Solicitors' Regualtion Authority SRA: 446286. 

© Copyright 2015 - 2024