The European Court of Justice (ECJ) has today handed down a landmark ruling that could affect all companies which transfer personal data about their customers or staff to hosting companies in the US. If any US companies process any of your data then, as a result of this decision, you may need to sign new model clause contracts with those companies.
What is Safe Harbour?
Previously companies in the European Union could transfer personal data to US companies who were members of ‘Safe Harbour’. The Safe Harbour framework came into effect in 2000. The framework provided guidance for US companies on how to provide adequate protection for personal data such as to comply with the EU’s Data Protection Directive. It permitted US companies who complied with its rules to receive data from EU companies without breaching Europe’s stricter data protection rules which prohibit personal data from being transferred to and processed in parts of the world that do not provide “adequate” privacy protections.
Why has it been declared invalid?
After Edward Snowden revealed that US companies, including Facebook, were being forced to provide personal data to US authorities, Maximillian Schrems asked the data protection authority in Ireland (where Facebook has its European base), to prevent his personal data being sent to the US. It refused and Mr Schrems issued High Court proceedings. The High Court referred the matter to the ECJ.
Today the ECJ has stated that the Safe Harbour agreement is invalid as it “enables interference, by United States public authorities, with the fundamental rights of persons…”.
What should my company do now?
All EU companies which transfer data to US companies, whether it’s to store documents, send out mailing lists, carry out pay-roll services etc. will have to sign up to model clause contracts. Some of the larger US companies will not be affected by this decision e.g. Microsoft’s Outlook 365 already has its own privacy agreement which has been approved by the EU’s data protection authorities. However smaller US companies are more likely to be affected by today’s decision and many are currently reviewing their options.
The Information Commissioner’s Office has released a statement but as yet there is no guidance for UK companies as to what they should do to ensure compliance with the data protection legislation now that Safe Harbour is invalid. Our advice is to check where the companies you transfer data to are based and, where necessary, ask them to sign new model clause contracts to ensure that the data you transfer is protected.
Please contact us if you need new model clauses drafting or if you would like advice to ensure that you are complying with data protection rules.