Transfer of Personal Data to US Invalid
The European Court of Justice has held that Commission Decision 2000/520/EC of 26 July 2000 (the “Commission Decision”), which permitted the transfer of personal data from the EU to US companies that had signed up to the so-called ‘Safe Harbour’ data protection principles, is invalid. This Commission Decision could have far reaching implications for the way in which companies transfer their employees’ personal data to the United States.
The EU Data Protection Directive prohibits the transfer of personal data from the EU to third countries, unless those countries ensure an ‘adequate’ level of protection for such data. Under the Safe Harbour framework, US-based companies can certify their commitment to a set of data protection principles which ensure an adequate level of protection for personal information transferred to such companies in the US. This framework has widely been relied upon by companies in the EU to legitimise the transfer of, among other things, their employees’ personal data to US-headquartered parent companies and US-based providers of services such as cloud computing and HR software systems.
Following revelations that US intelligence agencies had been conducting mass surveillance of personal data stored and processed electronically in the US, MS, an Austrian citizen, became concerned about the transfer of his personal data by Facebook’s European subsidiary, Facebook Ireland Ltd, to its US parent company, Facebook Inc. under the Safe Harbour framework. MS complained to the Irish Data Protection Commissioner (the “DPC”), asking him to exercise his powers under the Irish law to prevent Facebook from transferring MS’s personal data to the US. The DPC rejected the complaint which led to High Court proceedings in Ireland, culminating in reference to the ECJ.
The Court held that, the national data protection authorities of the Member States must be able independently, to examine whether the transfer of personal data to a country outside the EU complies with the requirements of the EU Data Protection Directive. The Court also noted that the Safe Harbour principles only apply to US companies that sign up to them, not to US public authorities.
The case will now return to the Irish High Court, which is expected to instruct the DPC to conduct a full investigation into MS’s complaint against Facebook.
Niki Avraam, Head of Howat Avraam Solicitors’ Employment team, comments: “This judgment will increase the pressure on both sides in respect of ongoing negotiations between the US and the EU on establishing an amended Safe Harbour framework, to be concluded quickly. In the meantime, companies that have been relying on the Safe Harbour framework to legitimise their transfers of personal data, including employee data, to organisations in the US will have to find other ways of doing so if they are to comply with the Data Protection Directive.”