Guidance to Members on the European Court of Justice Safe Harbour Decision | DMA
DMA - Data and Marketing Association

Filter By

Show All
X
Start Contributing
My Contributions
X
X

Connect to

X

Guidance to Members on the European Court of Justice Safe Harbour Decision

07 Oct 2015

T61508412323f-ecj00x_56150841231a5-74.jpg

The European Court of Justice ruled on 6 October that US companies do, "not afford an adequate level of protection of personal data”, and the so-called Safe Harbour agreement is now invalid

1. What was Safe Harbour?

The EU's privacy laws are amongst the toughest in the world, and companies are not permitted to send personal data elsewhere. The EU is also a vast single market, and so highly attractive to non-EU companies. Safe Harbour was the system agreed between the EU and USA that permitted US companies to obtain accreditation that guaranteed data protection equivalent to that found in the European Union.

The European Court of Justice (ECJ) decision now makes this system invalid.

2. What was the decision of the ECJ?

The ECJ made two decisions:

  • It invalidated the European Commission’s approval of the Safe Harbour Principles, defined back in 2000, which many organisations use to transfer personal information between Europe and the USA
  • It allows national data protection authorities in the Member States to carry out their own investigations into whether a country outside Europe has an equivalent level to the protection of personal information as defined in the 1995 European Data Protection Directive. This even applies if the European Commission has found that a country does indeed provide an adequate level of protection

Only the ECJ, and not a national data protection authority, can declare such a decision by the European Commission invalid.

3. My organisation currently transfers personal information to a USA-based organisation, under the Safe Harbour Principles. What should my organisation do now?

Don't panic. Data already transferred to US-based companies under Safe Harbour will be unaffected.

However, from today, it would be a breach of data protection regulations to do so. But, as the Information Commissioner’s Office (ICO) points out, it's reasonable to expect that new arrangements may take some time, and give organisations time to find alternative solutions.

Organisations that use the Safe Harbour principles will need to review how they ensure that personal information transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do this.

4. What are the alternative legal grounds for transferring personal information to the USA?

There are two main possibilities:

Model Contract Clauses

There are two versions of Model Contract Clauses produced by the EU for transfers of personal information to countries outside Europe. Read the ICO's guidance on Model Contract Clauses here.:

  • Where a data controller in Europe transfers personal information to a data controller in the USA. This could be where a list owner in the EU transfers personal information to US-based company that wants to market to European citizens
  • Where a data controller in Europe transfers personal information to a data processor in the USA. This could be where a European based organisation transfers personal information to an email service provider in the US, where the emails are sent from the USA

If you use Model Contract Clauses, you need to make sure that the problems identified by the ECJ are overcome. Notably:

  • The Snowden revelations demonstrate a significant overreach on the part of US intelligence services, with large-scale surveillance and intercept. European citizens have no right to challenge US intelligence services who want to access their personal information when held by a US organisation.
  • The US organisation the personal information is transferred to is subject to US law. If US intelligence services ask the US organisation for personal information, it has to disclose it. The US organisation cannot challenge the decision and it cannot alert the European based organisation either.

Binding Corporate Rules

This is a procedure where an organisation ensures that its internal policies and procedures ensure any transfers within the group but to another country are protected under the European Directive 1995.

Policies and procedures have to be approved at a European level and the approval process takes some time. It is only really suitable for large organisations.

More information about Binding Corporate Rules can be found here.

Again, organisations will have to ensure that the problems identified by the ECJ with the Safe Harbour principles as discussed above in the section on Model Contract Clauses are overcome.

5. What about the discussions on negotiating a revised set of Safe Harbour Principles?

The European Commission identified in 2013 that there were problems with the existing Safe Harbour Principles, thanks to the Snowden revelations. The EU is already in negotiations with the USA to develop a revised set of Safe Harbour Principles, and the ECJ judgement recognises this.

It will be interesting to see whether the ECJ judgement will speed-up these negotiations.

James Milligan James Milligan

Data & Marketing Associations
DMA Solicitor

Subscribe for industry news, insight and analysis
Hear more from the DMA

Please login to comment.

Comments

Related Articles

The Power of Customer Journey Analytics in Telecommunications

The telecom industry boasts an array of touchpoints, presenting both opportunities and challenges for marketers. Ensuring that campaigns not only resonate but also yield results is critical.

iStock-1473164518-modified-f4e3c11c-cd81-417a-a5bf-adaf217da044.jpg

Managing Customer Data Silos in Telecommunications

The telecommunications sector grapples with a pressing issue: customer data silos.

iStock-1180187740 600x400.jpg

The Importance of Data Quality and Data Confidence in Customer Experience

We live in the information age, where customer insight expands with every click, swipe, and interaction.

iStock-1363814424 600x400.jpg

The Future of Customer Experience - Predicting trends for the year ahead

Placing customers at the heart of business is nothing new – happy customers tend to be loyal, and with each passing year, we’re seeing more and more companies recognise the value of delivering a great customer experience (CX).

CX predictions_iStock-1477183258.jpg

Expand

Copyright DMA 2024 © All Rights Reserved