Choppy Waters in the Safe Harbor?
The recent judgment from the Court of Justice of the European Union (CJEU) that the Safe Harbor Scheme may not provide adequate protection for personal data transferred from the UK to the US, has understandably caused a good deal of concern for UK businesses. Businesses should now re-examine all of their cross-border data flows, and undertake an audit of any contracts under which personal data is processed, whether they are carrying out the processing themselves, or they have engaged a third party to process the personal data.
The Data Protection Act 1998 (DPA) prohibits companies from sending personal data to countries outside of the European Economic Area (EEA) unless those countries ensure an “adequate level of protection” for that information. In 2000, the European Commission agreed with the US a set of principles, broadly the same as the principles set out under the DPA, which were known as “Safe Harbor” principles, and UK companies were permitted to transfer personal data to US companies which had registered for the Safe Harbor Scheme (and in doing so, agreed to abide by the Safe Harbor principles).
The revelations by Edward Snowden about the “snooping” practices of the US authorities however called into question whether the Safe Harbor framework was able to guarantee EU data subjects an adequate level of protection for their personal data, and last week the CJEU decided that it couldn’t. There is now a question mark over all Safe Harbor arrangements (such as those with Canada and New Zealand for example).
The ruling means that now businesses (data controllers) which send personal data to the US will no longer be able to rely on the recipient certifying its compliance with the Safe Harbor Scheme and will have to find other ways to ensure compliance with the DPA. Also, businesses which process data on behalf of clients (data processors) under contracts requiring them to “comply with all applicable data protection legislation as if they were a data controller”, or other similarly broad wording, may now find themselves in breach of those contracts if they have previously been relying on Safe Harbor certification in order to send data to the US. The judgment will also be worrying for UK companies storing employee or individual client data with US-based cloud service providers or sending it to servers based in the US.
So what are the options for businesses that want or need to continue sending personal data to the US? Whilst we are in somewhat unchartered waters at the moment, and a “panic reaction” will undoubtedly be unhelpful at this stage, businesses will need to look at:
- whether they can get consent from data subjects to the data transfer;
- using the standard contractual clauses produced by the EU (sometimes called the Model Clauses); and/or
- adopting Binding Corporate Rules.
All of these options do have their disadvantages however. Binding Corporate Rules, which a company draws up itself, can only be used intra-group, and each set needs to be expressly agreed by the relevant data protection authorities. We have been made aware that some businesses are receiving copies of the Model Clauses from customers and suppliers with a suggestion that these are used to replace previous reliance on Safe Harbor certification. Caution needs to be exercised here though as the Model Clauses have to be adopted without derogation or amendment, which can make them difficult to fit into existing contractual arrangements, and there are no Model Clauses for processor to processor contracts. It may be easier (if possible) to avoid altogether the need to transfer the data, particularly any sensitive personal data, in the first place given that getting informed consent from data subjects is often impractical. Contracts should be examined on a case-by-case basis to see what solution fits best the particular circumstances.
This uncertainty is clearly not helpful to business, and a new safe harbor framework, which was already being negotiated, still looks someway off. In the meantime, US authorities have announced that they are “prepared to work with the European Commission to address uncertainty created by the court’s decision so that the companies who have complied “in good faith” with the framework can continue to thrive and the Information Commissioner has said that he will issue further guidance on the alternatives for businesses transferring data to the US, and will give UK businesses time to make alternative arrangements.