Wednesday 7 October 2015

No safe harbour in the US

As has been widely reported, on 6 October 2015 the Court of Justice of the European Union gave judgment in the case of Maximillian Schrems v the Data Protection Commissioner for Ireland, holding that the European Commission Decision creating the "safe harbour" for the transfer of personal data from the EU to the US was invalid.

European data protection law prohibits the transfer of personal law outside the EU except to a country which "ensures an adequate level of protection" for personal data or where certain exceptions apply - for example where the data subject has given "unambiguous consent" to the transfer, or where "binding corporate rules" have been agreed to provide a contractual means of protection.  There is a very limited list of countries which have been found by the EU to ensure an adequate level of protection.  But, crucially, by Commission Decision 2000/520/EC of 26 July 2000 it included the EU/US "safe harbour" agreement, with which US companies could self-certify their compliance.  The US safe harbour was of vital importance to the large number of international businesses which transfer customer data to their US operations, and with the growing importance of the Cloud even companies with no US operations are increasingly storing data on servers which are physically located in the US - and have therefore been relying on their Cloud service providers' confirmation that they are signed up to the safe harbour.  (Or at least they should have been relying on it if they had properly addressed their minds to the issue.)

All this was thrown into doubt when Edward Snowden revealed that the US intelligence agencies, and in particular the NSA, carried out widespread and indiscriminate surveillance of data stored by US companies.  We now know that US companies have to give access to their data to the NSA, and so are unable to guarantee the necessary adequate level of protection for their personal data to persons in the EU, as the surveillance is carried out on an indiscriminate basis, rather than a proportionate basis where necessary for national security purposes - such as to combat terrorism.

Mr Schrems (who is an Austrian citizen) therefore brought a case requiring the Irish Data Protection Commissioner to prohibit Facebook Ireland (which held his personal data on Facebook) from transferring that data to servers operated by Facebook Inc in the US for processing.  The Irish High Court considered it was bound by Commission Decision 2000/520/EC on the safe harbour, but had its doubts as to the validity of the decision in the light of the Snowden revelations, so referred to the CJEU the question whether it was bound to follow the safe harbour Decision.

The CJEU held that it was not, and that national data protection authorities are not prevented by Commission Decisions from carrying out their own assessment.  However, the Court went on to take the opportunity to hold (despite not having been expressly asked to do so by the Irish court) that Decision 2000/520/EC is invalid - particularly in the light of subsequent revelations.

So where does this leave the many companies that have been relying on the safe harbour to transfer customer data to their US operations, or just to store it in the Cloud?  They cannot just wait and see what happens when the case goes back to the Irish court to decide in the light of the CJEU's guidance, as the CJEU has already held the safe harbour invalid.  Nor can they wait for the EU and US to conclude their current negotiations for an amended safe harbour, as that will take some time and they need to continue transferring personal data.  Binding corporate rules or standard contractual clauses in the form approved by the EU should be an option, but it is difficult to see how a US company could comply with any contractual data protection obligations it might undertake, given it would be bound to give the NSA access to its data.  There is a limited exception where "the transfer is necessary for the performance of a contract between the data subject and the controller", which might arguably be used to perform existing contracts with customers.  But for the moment, the only viable option seems to be to obtain the unambiguous consent of customers to transferring their data to the US by an express opt-in, warning them of the risk of surveillance by the NSA (in case anybody isn't already aware of this, or doesn't appreciate that it could happen in this case).  Realistically this would involve stopping providing the service to the customer unless they click to confirm their opt-in to a clear warning message.

The alternative is to find a non-US Cloud service provider with servers in the EU or a country which is still considered to offer adequate protection; the list being Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.

No comments:

Post a Comment