Following recent headlines on the invalidity of Safe Harbor framework to transfer personal data outside of Europe, we consider the impact upon UK employers who transfer employee data to their US parent companies and suggest next steps.
In the case of Schrems v Data Protection Commissioner (C-362/14), the Court of Justice of the European Union (CJEU) considered whether the Irish Data Protection Commissioners Office has the authority to examine Mr Schrems' concerns regarding the transfer of his personal data under the Safe Harbor framework from Facebook's Irish subsidiary to its' parent company Facebook Inc in the US.
Mr. Schrems made a complaint initially to the Irish Data Protection Commissioner because of the Snowden revelations regarding Facebook, in that Facebook (and other US companies) were being forced to make their personal data (including personal data from the EU) available to US intelligence. Mr Schrems was concerned about the protection of European citizens' fundamental privacy and data protection rights once their data reaches the US, even though Facebook had signed up to the Safe Harbor programme and accordingly been granted a presumption of adequacy.
The CJEU found the current Safe Harbor framework does not provide an adequate level of protection because it applies only to US corporate entities and not US public authorities. EU protections are therefore currently overridden by US national security, public interest and law enforcement requirements. The result being that the US Intelligence services have been allowed to access and conduct surveillance of personal data transferred to the US from Europe. The CJEU have also identified that the current framework does not provide the possibility for individuals to seek legal recourse against the US company and that individuals have no right therefore to access their personal data or to require it is accurate and up to date etc.
In light of the CJEU's decision, the Irish Data Protection Commission will now consider Mr Schrem's claim and decide whether the transfer of personal data of Facebook's European subscribers to the US should be suspended on the ground that the current Safe Harbor framework does not guarantee an adequate level of protection of personal data in the US.
Brief overview of Safe Harbor for employers
The EU Data Protection Directive (95/46) prevents the transfer of personal data outside of Europe unless those countries ensure an 'adequate' level of protection of the personal data. The European Commission has the power to issue a decision on whether to certify that a given country can provide such protection. It is in accordance with this power that the European Commission issued a Decision in July 2000 under which the Safe Harbor framework was borne.
The Safe Harbor framework established a system under which US based companies are able to self-certify their adherence to a set of data protection principles.
Essentially, the Safe Harbor framework provides a mechanism for UK employers to transfer employee personal data for processing to a US company. The Safe Harbor framework is designed to ensure that the employee personal data transferred is subject to the same protections as if it were being managed under the European legislation.
Accordingly, the Safe Harbor framework provides subsidiary companies based in the UK the opportunity to legitimately transfer its employees personal data to their US based parent company. The Safe Harbor framework is also heavily relied upon by US based cloud computing and HR software system providers.
In light of the CJEU decision, national regulators can now suspend the transfer of personal data to the US if they consider that there is inadequate protection. This leaves UK employers (who rely on the Safe Harbor to transfer employee data to its US parent) exposed to claims from employees that those transfers of personal data to the US are unlawful.
There are other methods of transferring personal data to the US, such as under model clause agreements, exemptions (such as necessity) or by setting up binding corporate rules etc. Some employers rely on consent to transfer their employee's personal data to the US. Such consent (provided it has been 'freely given') can circumvent the issues relating to the transfer of personal data to the US. However, consent can be withdrawn at any time which in its own right makes this method of transfer potentially unstable.
Meanwhile, UK employers are unable to avoid exposure of the employee personal data to scrutiny by US Intelligence services, over which the US parent has no control.
What does this mean for UK employers?
The Attorney General's findings in the Schrems case were that companies availing of Safe Harbor have not violated EU law. Safe Harbor mechanisms are still operating in the US and the companies who have signed up to the current framework continue to follow the principles in practice. The issue lies within the Safe Harbor framework itself. The Safe Harbor framework has been found to be flawed due to the US intelligence agencies ability to conduct surveillance and intercept data which are far wider than the EU government access to personal data for legitimate counter terrorism purposes.
To date, the European Commission has been engaged in negotiations with the US government to review the current Safe Harbor framework. On 6 October 2015, the US Secretary of Commerce, Penny Pritzker issued a statement on the CJEU decision and confirmed that 'The court's decision necessitates release of the updated Safe Harbor Framework as soon as possible'.
What next for employers?
UK employers who transfer employee personal data to the US meanwhile are advised to review their data privacy compliance process and ensure that the fundamentals are in place and being followed. Employers can also use this opportunity to re-examine why employee personal data is transferred outside of the EEA. It is highly likely that a majority of the transfers of employee data to the US parent is due to the location of servers and use of cloud technology.
Accordingly, employers should also take the opportunity to consider where their employee personal data is stored (e.g. where servers and /or cloud storage providers are based).
Clearly the issue of transfers of personal data from the EU to the US are in the spotlight and we are hopeful that the new Safe Harbor framework is revealed as soon as possible.
In the meantime, employers are encouraged to take the following steps in light of the CJEU decision:
- review where employee personal data is currently transferred to;
- consider the purposes of the transfer(s), the duration of the transfer, the country of origin and destination of the personal data;
- review what security measures are in place to protect the personal data;
- decide whether any short term emergency measures need to be implemented (for example intra group model clause agreements (which are standard sets of data transfer terms approved by the European Commission) / practicality of ceasing the transfer of employee data to the US); and
- keep up to date with the developments of the review of the current Safe Harbor framework.
This document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.