15 October 2015

Data protection and data transfer from the EU to US: Safe Harbor agreements ruled invalid

Multinational employers must take note of a ruling from the European Court of Justice (“ECJ”) that will have a significant effect on the legality of passing employees’ personal data to the US.

EU law states that personal data must not be transferred to a country or territory outside the EU unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects. Employers in the EU who transfer employee personal data to the US have for a number of years been able to ensure compliance with EU data protection law provided the US entity signs up to principles broadly matching those under the EU Data Protection Directive. 

This was established by a European Commission ruling in 2000 establishing the so-called “Safe Harbor” agreement. US organisations who signed up to and complied with the agreement were, until now, authorised to accept data transfers from the EU without the need for further approval.

Now a judgment by the ECJ has ruled the Safe Harbor agreement invalid, following a case pursued by an EU citizen Maximillian Schrems who was concerned about Facebook's transfer of his personal data to the US. Against the background of the disclosures by Edward Snowden about US authorities' far-reaching surveillance and use of personal data held by US corporations, the ECJ has found the protections of the Safe Harbor agreement to be inadequate.

For full details of the case please refer to our full article on safe harbor agreements.

What should employers do now?

This ruling has major implications for employers who transfer employees’ personal data from the EU to the US. Such employers should now urgently review their arrangements. To the extent they rely on the Safe Harbor agreement, the legality of their data transfers is now in question.

Other options for ensuring legal data transfers to the US from the EU include:

  • implementing standard contractual provisions between the data controllers / processors authorised by the Information Commissioner to govern the data transfer;
  • where a transfer is carried out by a UK-established company to other members of its group in different jurisdictions, by agreeing legally enforceable rules between those companies, again in a form approved by the Information Commissioner.

However, it is possible that further litigation will undermine the lawfulness of these options as well, given the apparently fundamental concerns held by the ECJ about data privacy in the US. Negotiations for new data protection agreements between the EU and the US are under way but this development can only complicate and delay them. We will keep you posted.

Data Central

Have you checked out our new Data Hub? Data Central contains a range of resources to help our clients minimise the legal, regulatory and commercial risks this data-driven environment presents and ensure that its full value is being realised.

A Guide to Doing Business in China

We explore the key issues being considered by clients looking to unlock investment opportunities in the People’s Republic of China.

Doing Business in China
Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    El Tribunal Superior de Justicia de la Unión Europea da un giro de 180º al criterio interpretativo acerca del periodo de 90 días en los despidos colectivos

    19 November 2020

    Analysis of the new employment measures approved by the Spanish Government in the Royal Decree-Law 15/2020 of 21 April

    22 April 2020

    Analysis of the Royal Decree-Law 11/2020: further urgent complementary measures in the employment, social and economic field

    01 April 2020

    Analysis of the most relevant decisions about Employment Law related to Royal Decree Law 9/2020 and Royal Decree Law 10/2020

    30 March 2020

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.