Safe Harbour Not so Safe

Mirkwood Evans Vincent data transfer

Under the terms of the European Privacy Directive 95/46EC (and in the UK, the Data Protection Act 1998), European based data controllers are prohibited from transferring personal data outside of the European Economic Area, to associated companies or third parties, unless the non-EEA country adequately protects personal data and the rights of personal data subjects.

The only countries, which have been approved or “white listed” by the EU to receive data transfers from EU countries are Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey and Switzerland.

Where data is sent outside the EEA to a non- white listed country, the transfer must either be protected by a legal agreement in an approved EU form (such as the most current version of the EU Model Clauses), or be subject to some other form of transfer approved by the EU.

For the past fifteen years, we have all assumed that one way to transfer personal data legitimately to the USA, without either (a) putting an EU Model Clauses Agreement in place, or (b) going to the expense of getting binding corporate rules approved by more data protection commissioners than you can shake a stick at; was to transfer it to a company or organisation, which was a member of the so-called “Safe Harbour” Arrangement, based on a self-certification procedure managed and controlled by the US Federal Trade Commission (the “FTC”).

There have been rumblings for a while that there were issues with Safe Harbour, following Mr Snowden’s revelations about data being accessed by (or even being made accessible to) the US Government, but then on 7th October, our worst fears were realized when the European Court of Justice ruled that “Safe Harbour” was not safe any more, based on the application of Mr Schrems, who objected to Facebook Ireland transferring his personal data to Facebook in the USA.

So what do you do now if you have been transferring personal data to the USA based on a Safe Harbour self-certification?

Our advice would be to put in place an EU Model Clauses Agreement and not rely on Safe Harbour any more.

For advice or more information, contact