Skip to content

Is data transfer all at sea with end to Safe Harbour arrangements?

The transfer of data between companies and organisations in the EU and the USA is set to undergo major changes after a European Court of Justice ruling.

The end to the so-called ‘Safe Harbour’ scheme is likely to have a profound effect on how data is transferred between Europe and the US.

What is ‘Safe Harbour’?

The Safe Harbour arrangement was put in place in 2000 and was designed to provide a “streamlined and cost-effective” way for US firms to get data from Europe without breaking its rules. It is underpinned by a specific piece of European legislation.

EU laws prohibit personal data from being transferred to and processed in parts of the world that do not provide “adequate” privacy protections.

So, to make it easier for US and EU firms to trade with each other, Safe Harbour was introduced to let US firms self-certify that they are carrying out the required steps.

Some 4,400 US companies including the likes of Facebook have used the arrangement to facilitate data transfers.

What has changed?

As a result of the revelations by the National Security Agency whistleblower Edward Snowden, a challenge was launched against the transfers by Max Schrems, a Facebook user based in Austria.

He argued that since the US intelligence services had access to his personal data when they were on servers based in the US, his rights to privacy and data protection as an EU citizen were not being protected.

The European Court of Justice has required the Irish data protection authority to investigate Mr Schrems’ complaint, but it has gone further and effectively declared that the entire Safe Harbour scheme fails to ensure adequate safeguards for EU citizens’ personal data in the US.

What does this mean for me?

The ruling means that UK companies engaged in transferring personal data of EU citizens to the US who rely on Safe Harbour will need to put in place alternative legal safeguards to ensure they continue to be compliant with data protection legislation.

The judgment may also put organisations in breach of contract, for example of any compliance with law obligation.

The initial response from the Information Commissioner’s Office (ICO) is that businesses now need to review how they ensure compliance of any impacted data transfers, and that the ICO recognises it will take some time for them to do this. The ICO will be working with its counterpart data protection authorities in other member states and issuing further guidance on the options open to businesses in the coming weeks.

This is likely to mean the risk of the ICO taking regulatory action or imposing a fine if UK businesses wait for the further guidance is low.

However consumers and contracting parties may not take the same view.

What action should I take?

For companies affected by the changes, the options for continuing to transfer data are to wait for the guidance from the ICO before taking any steps; to take steps now; or simply to wait for the ‘safer’ Safe Harbour agreement which the European Commission is working on with the US authorities.

No timescale has been given for the conclusion of the ‘safer’ Safe Harbour negotiations, which started in 2013.

It is difficult to see what the ICO guidance could be, other than to use an existing alternative means of compliance such as the European Commission’s standard contractual clauses, unambiguous, informed specific and freely given consent or, in the longer term for multinational groups, binding corporate rules. It is likely that the European Commission and data protection authorities such as our own ICO will be keen to avoid an outright suspension of transatlantic data transfers.

The option of taking action now may secure technical compliance. However, steps taken now will be of no long term benefit if the ‘safer’ Safe Harbour comes into being very quickly or the ICO’s further guidance points to a different path.

It is also possible that we may now see further challenges to other existing compliance mechanisms for data transfers to the US.

Unfortunately, this is uncharted territory and there no one-size-fits-all solution: it will be a matter of reviewing the impact of the decision on your data transfers, speaking with any affected customers/suppliers, assessing the particular risks in your circumstances and planning and implementing accordingly.

How can Ward Hadaway help?

Our experts on data protection can help you assess the impact of the changes on your business and look at potential methods of navigating through the new landscape.

How can I find out more?

For further information on how Ward Hadaway can help with this or on any other aspect of data protection, please get in touch.

Please note that this briefing is designed to be informative, not advisory and represents our understanding of English law and practice as at the date indicated. We would always recommend that you should seek specific guidance on any particular legal issue.

This page may contain links that direct you to third party websites. We have no control over and are not responsible for the content, use by you or availability of those third party websites, for any products or services you buy through those sites or for the treatment of any personal information you provide to the third party.

Follow us on LinkedIn

Keep up to date with all the latest updates and insights from our expert team

Take me there

What we're thinking