Transfers of personal data to US may be unlawful following ECJ decision: a briefing for HR

Transfers of personal data to US may be unlawful following ECJ decision: a briefing for HR


Yesterday’s decision of the ECJ in Schrems v Irish Data Protection Commissioner was widely covered in the media and will potentially impact all EU businesses that transfer personal data to the US. This is widely referred to as “the Facebook case” although Facebook was not a party.

The most immediate impact will be for businesses who either participate in the US Department of Commerce Safe Harbor Scheme or use IT vendors who do.

Don’t panic though: nobody is seriously suggesting that IT systems need to be turned off. Over the coming weeks UK data controllers should:

  • Audit existing international data transfers and basis for transfer.
  • Where reliance is placed on the safe harbor:
  • as a short term measure, determine whether or not your organisation believes that there are adequate protections in place regarding your transfers and, ideally, document that assessment; and
  • in the longer term, consider alternatives, such as Binding Corporate Rules / Model Agreements.
  • Review vendor IT contracts.

We’re not Facebook; why does this case affect us?

As large scale controllers of consumer data, companies like Google, Facebook and Microsoft take centre stage in the privacy debate. However, in today’s connected world, all organisations of any scale inevitably transfer personal data between locations around the world. If personal data is transferred outside the EU then those transfers are only lawful if one or more of a number of exceptions apply - see below.

In most companies transfers may either take place internally (e.g. for example to an e-Peoplesoft database hosted by a parent company), to IT vendors (e.g. a cloud email service or HR database) or to other business partners (e.g. a law firm, shareholder or client).

For most businesses, this will affect personal data contained within systems such as:

  • Corporate email servers;
  • HR databases; and
  • Training, recruitment and similar tools.

Data is most obviously transferred overseas where the database/server is located overseas. However, the same principles apply where resources are accessible from outside the EU, save that the transfer takes place each time the data is accessed.

What does the law say?

The Data Protection Directive 95/46 (the “Directive”) implemented in the UK by the Data Protection Act 1998 (the “Act”) has, since its inception, contained a prohibition on the transfer of personal data outside the EEA to third countries unless they “ensure an adequate level of protection”. A series of exceptions to this rule are set out in both the Directive and the Act.

Until yesterday, under a Decision of the European Commission dating back to 2000 (the “Safe Harbor Decision”), those exceptions included transfers to US companies who participate in the US Department of Commerce’s Safe Harbor Scheme.

This is a voluntary self certification scheme where US companies can elect to apply the main data protection principles to EU personal data.

What’s the fuss about?

Privacy advocates have long criticised the Safe Harbor Scheme. This was originally a result of a general suspicion that many US companies signed up but then did not take their obligations seriously. There has also been a noted lack of enforcement action by the Federal Trade Commission (except where the abuse was flagrant).

Those concerns were exacerbated by the Snowden revelations which publically revealed mass surveillance undertaken by US security agencies of personal data relating to EU citizens under a secret program referred to as “PRISM”. Whilst the US constitution jealously protects the privacy of US citizens there are no such protections for non-US citizens and so US law permits far more extensive surveillance on non-US citizens than on US citizens.

The Facebook case was initiated by a Facebook user by the name of Max Schrems, who is an Austrian law student.

Facebook’s EU operations are carried out by Facebook Ireland and located in Ireland but Facebook’s servers  are located in the US. This makes Facebook Ireland the data controller and (its parent) Facebook, Inc the data processor. This gives Facebook Ireland legal responsibility for the processing that takes place both in Ireland and in the USA.

Max has long been a thorn in the side of Facebook and had already submitted some 22 complaints to the Irish Information Commissioner about the practices of Facebook. Max’s earlier complaints had led to an audit by the Irish Information Commissioner of Facebook Ireland.

His 23rd complaint and the one relevant to the ECJ decision, related to his concerns that his personal data was transferred en masse to the US and with no transparency as to what surveillance was taking place.

The Irish Information Commissioner rejected the complaint. He took the view that there was no evidence that Max’s data had been subject to surveillance and he was bound by the Safe Harbor Decision which determined that transfers to US Safe Harbor companies are lawful.

Max sought judicial review of this decision. The Irish High Court, in a surprisingly robust decision, found as a matter of fact that “whilst there may be some dispute regarding the scope and extent of some of these programs it would appear…. That the accuracy of much of the Snowdon revelations does not appear to be in dispute… I will therefore proceed on the basis that personal data transferred by companies such as Facebook Ireland to its parent company in the United States is thereafter capable of being accessed by the NSA in the course of a mass and indiscriminate surveillance of such data”. The Court held that this was contrary to the Irish Constitution and EU law and made a reference to the ECJ on the question of whether or not the Irish Information Commissioner was bound by the Safe Harbor Decision.

Tellingly, neither Facebook nor the US Government made representations before either the Irish High Court or the ECJ. Facebook is almost certainly prohibited by US law from disclosing the nature and extent of the surveillance undertaken by US security services.

What did the ECJ say?

At the heart of the ECJ’s reasoning was the concern that the terms of the Safe Harbor freely allows US companies to disregard the Safe Harbor principles when required to do so by US law. Once personal data is released to US Government agencies, those agencies are not themselves required to comply with Safe Harbor and then there is no further controls on the processing that takes place.

Accordingly, the ECJ found that the EU regulators are entitled to investigate compliance with the Safe Harbor and the case will be remitted back to the Irish Information Commissioner to investigate.

More controversially, they also held that the Safe Harbor Decision itself was “invalid”. This was principally on the basis that the European Charter of Fundamental Rights (which became law in 2009) makes the protection of personal data a fundamental right of EU law. Exceptions to this fundamental right should be limited to those strictly necessary. The risk of large scale surveillance by the US government without any legal remedies meant that the Safe Harbor was inconsistent with EU law.

What should we do?

Firstly, despite some slightly hysterical coverage in the media, there is no need to panic or be rushed into doing anything.

Technically, transfers to US companies in the Safe Harbor are unlawful as of today, unless there are other arrangements in place. However the UK Information Commissioner issued a statement yesterday sensibly suggesting that organisations should review how they ensure that data transferred to the US is transferred in line with the law and recognising that it will take them some time for them to do this.

In the long term, the most obvious alternative routes are to enter into Binding Corporate Rules or EU Model Clauses (sometimes called international data transfer agreements). Many large technology companies have already put these in place as a contingency measure and so transfers to large IT vendors should be relatively unproblematic. Other organisations may wish to follow suit – although both methods are not without their complications.

Whilst the Directive allows transfers to take place where the data subjects in question each provide their “unambiguous consent” and many employment contracts contain consent language, this is rarely relied upon. Firstly, there is a concern that consent will generally not be freely given in the case of employees and so is invalid. Secondly, it is usually practically impossible to obtain consent from all data subjects whose data is likely to be transferred.

In the short term, the UK Act allows UK data controllers to make their own adequacy assessment and some companies may consider relying on this basis for transfer as a transitional arrangement until they are able to enter in Model Agreements or adopt Binding Corporate Rules. Companies who merely transfer internal employee data, where there is little (if any) likely interference by US authorities with data held by their US parent, may determine that the particular transfers of data in question to the US do still include adequate safeguards to the rights of data subjects. We can provide further advice on making adequacy assessments. This option will not be open to companies with operations across the EU as a result in differences in the way that the Directive is implemented in each member state.

What Next?

Whilst most companies will adopt Model Clauses or adopt Binding Corporate Rules over the coming months in response to this decision but they do not offer a panacea as they are open to challenge on the same basis as the Safe Harbor. However it will take years for any challenge to reach the ECJ.

In the meantime, the EU and US will continue their negotiations over Safe Harbor v2 and it is expected that the ECJ decision will prompt a political resolution.

Responding to the ECJ decision the US Secretary of Commerce Penny Pritzker stated that the decision “necessitates release of the updated Safe Harbor Framework as soon as possible”.

Organisations that routinely receive law enforcement requests from US authorities should seek specific legal advice in relation to these issues and the options available to them. However these are likely to be focussed on customer/client data rather than HR/business data and so will be less problematic for HR teams.

Our team has substantial expertise in this area. We have experience advising on international data transfers, multinational cloud computing projects and responding to overseas legal requests from various agencies.

For more information please contact:

Daniel Pollard
Partner
020 3375 0331
[email protected]

Darren Isaacs
Partner
020 3375 0339
[email protected]