US Safe Harbor scheme does not provide data subjects with "adequate" protection
The European Court of Justice (ECJ) has recently ruled that the Safe Harbor scheme relied on by many universities (as well as other organisations operating in the EU) for the transfer of personal data to the US does not provide EU citizens with adequate protection in respect of data security.
Background
The ECJ’s ruling follows a complaint made by an Austrian citizen, Maximilian Schrems, to the Irish Data Protection Commissioner about Facebook. Like all Facebook users in Europe, Mr Schrems’ user profile and personal data was collected by Facebook’s Irish subsidiary, which then transfers it to the servers hosted by Facebook Inc. in the United States on the basis of Facebook Inc.’s Safe Harbor certification.
However, following revelations made by whistleblower Edward Snowden in relation to the US National Security Agency (NSA), Mr Schrems complained to the Irish Data Protection Commissioner that the US, and the Safe Harbor regime that it operates, did not offer ‘adequate’ protection for his personal data if the US authorities could use that data for non-specific surveillance and monitoring operations.
The Irish Data Protection Commissioner rejected this complaint on the grounds that the European Commission had determined in 2000 that the Safe Harbor scheme provided adequate protection.
Mr Schrems then sought judicial review by the High Court of Ireland, which in turn sought direction from the ECJ.
ECJ ruling
The ECJ’s ruling finds that the European Commission’s 2000 decision is now invalid. Further, the ruling appears to state that the Commission erred in its original decision when it failed to conclude that the US (Safe Harbor) ensures a level of protection to fundamental rights essentially “equivalent” to that guaranteed within the EU. This could potentially mean that the Commission’s 2000 decision has always been invalid.
The ruling highlights the fact that US authorities are lawfully permitted to conduct large-scale monitoring and collection of EU citizens’ personal data irrespective of the requirements of the Safe Harbor scheme. Furthermore, the ruling notes that US legislation does not provide for adequate remedies for individual data subjects resident in the EU against the US authorities.
Accordingly, the ECJ considers that the Commission failed to take into account the existence of US laws which, in effect, enable interference by US authorities of the fundamental right to privacy enjoyed by EU citizens, and therefore Safe Harbor cannot provide “adequate” or “equivalent” protection.
Consequences
The impact of the ECJ’s ruling is significant, particularly for the many British universities which do business with, and disclose personal data to, organisations based in the US. The Safe Harbor scheme has previously enabled the development of international services, in particular the use of cloud and other technology-based services e.g. payroll administration, CRM systems, website and email services, and outsourced marketing services.
Those universities currently relying on Safe Harbor should review their arrangements and take immediate steps to ensure adequate protection in accordance with UK law, for example, by entering into EU Model Clauses (although it remains to be seen whether these too might be susceptible to challenge); otherwise they may be operating in breach of the Data Protection Act 1998.
That said, the Information Commissioner's Office (ICO) has acknowledged that it will take some time for organisations to carry out those reviews and implement appropriate systems. That acknowledgement is to be welcomed as it means that, for the time being at least, the ICO does not intend on taking enforcement action for non-compliance.
Nevertheless, if your university transfers personal data to the US, including through tools such as Microsoft 365, Google Drive or other cloud-based storage, we strongly recommend that you promptly review your arrangements.
In the meantime the US and the EU are in the process of drawing up replacement arrangements, to be known as “Privacy Shield”, which will also be subject to consultation with the EU’s 28 national data protection authorities. Please see this article for more information.
For more information or advice in this area please contact Alan Grisedale on 0191 211 7956 or [email protected].