Transfers of personal data outside of the EEA are only permitted if the destination has in place adequate data protection provisions. The relevant law is the EU Data Protection Directive as enacted in English law by the Data Protection Act 1998. Certain countries (Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey and Switzerland) are considered by the European Commission to have adequate data protection in place and data may be transferred to any of these jurisdictions without the need for additional data protection safeguards.
For anyone wishing to transfer data to the USA there is in place a system called the Safe Harbour Agreement by which data recipients in the USA can be certified as providing adequate data protection. On 6th October 2015, as a result of a case brought by an Austrian privacy campaigner, Max Schrems, in relation to the use that Facebook makes of its subscribers’ data, the European Court of Justice has ruled that the Safe Harbour Agreement is invalid.
At present more than 5000 US companies make use of the Safe Harbour system to facilitate the transfer of data from the EEA to the USA. This can relate to subscribers’ information (such as Facebook members) or employee and customer data for multinational corporate groups. These businesses will all need to consider their position and make new arrangements in relation to all future transfers of personal data.
So what can be done?
Companies may enter into “model contract clauses”. The model contract clauses are an approved set of provisions detailing how personal data will be safeguarded. The basic provisions are in standard form with details of the data being transferred and the steps that the US based recipient will take to safeguard that data to be added.
Binding Corporate Rules are another possibility. Binding Corporate Rules (BCRs) are a binding global code of conduct enforcing EU data protection standards which are adopted within corporate groups. BCRs have to be both binding and legally enforceable by and against all group companies and employees. The BCRs are approved by the relevant national data protection authority in accordance with local national legislation.
As an alternative data can be transferred provided that the data subject has given specific and informed consent to this. If that consent is later withdrawn then no further data may be transferred. As a result it is very difficult for companies to rely on such consents if large amounts of data (for example employee and payroll information) is to be transferred. It is also likely that companies transferring data under the Safe Harbour system do not have in place the relevant consents from all affected data subjects.
The US and European authorities have been working on a new version of Safe Harbour in the last two years but this is some way off being adopted. In the meantime companies caught out by the ECJ’s ruling need to stop transferring data or to use model contracts clauses or BCRs. Failure to do so may lead to infringement actions by local data protection authorities which in the UK could lead to fines of up to £500,000.
If you have any concerns regarding The Safe Harour Agreement, please contact Tollers Partner, Liz Appleyard on 01908 306950.