The case - Maximillian Schrems v Data Protection Commissioner – declares the ‘Safe Harbor’ scheme invalid and allows national regulators to suspend data transfers to the US.
The case was brought by Maximillian Schrems, an Austrian law graduate and privacy campaigner against the Irish Data Protection Commissioner. Schrems argued that the Irish Data Protection Commissioner was wrong to decide that it could not take action against Facebook for transferring personal data to the US under the Safe Harbor scheme.
Schrems argued that, following the revelations made in 2013 by Snowden concerning the activities of the US intelligence services and in particular the National Security Agency, the law and practices of the US offer no real protection against surveillance by the US of the data transferred there.
Robert Lands, partner and head of intellectual property at law firm Howard Kennedy said: “In short, Schrems wants to prevent US intelligence agencies gaining access to his personal data by making it harder for US based businesses to collect personal data about EU citizens.”
The Safe Harbor regime is administered by the US Department of Commerce. US companies signing up to the scheme self-certify that they have in place certain standards for the protection of personal data. In 2000, the European Commission approved Safe Harbor as providing “adequate protection” for the transfer of personal data across the Atlantic. Since then numerous organisations have relied on the scheme to ensure that they are handling personal data lawfully.
Robert adds: “Following the Irish Court’s determination that the surveillance carried out by the US intelligence services is mass, indiscriminate surveillance the CJEU has decided that the Commission was wrong to find that Safe Harbor offered adequate protection for data transferred to the US. Safe Harbor can constitute an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the Charter.”
The implications for the likes of Facebook, Google, numerous tech companies, and any other companies that share personal information with the USA (even to a group company there) are significant.
Robert explains: “They will need to consider their strategies around data transfers; if they have been relying on Safe Harbor to justify them then they will need to think of privacy-friendly methods to do so, which are compliant with the Data Protection Directive.
“Extra due diligence into service providers will need to be conducted as many companies out source their HR, pay roll and other tasks involving personal data about customers or staff. Further, European businesses using software which is supported from the US need to be wary- remote access can often allow a technician to view personal data in the US, meaning a transfer of personal data can occur. A more transparent and accessible approach should be taken to data sharing. Obtaining explicit consent to justify transfers and creating new agreements between companies which share data may be further ways of meeting the requirements of the Data Protection Directive.”
