Posted by John North, Partner
On 1 September 2016 Withy King LLP merged with Royds LLP. The trading name for the merged firm is Royds Withy King. All content produced prior to this date will remain in the name of the firms pre-merger.
EU to US Data Transfers
The EU and the USA signed an agreement which came into effect in 2000. The agreement was called the Safe Harbour Agreement (‘the Agreement’). The purpose of the Agreement was to streamline the way in which American firms obtained data from Europe cost-effectively without contravening the rule that personal data must not be transferred to parts of the world where there were not adequate privacy protections in place. The Agreement allowed around 5,000 American companies to bypass European privacy laws.
Challenge
In 2013, Edward Snowden, a whistleblower, leaked details about a surveillance scheme called Prism which was operated by the American National Security Agency. The agency had supposedly gained access to data concerning Europeans, stored by American firms. It was suggested that these activities were covered by the Agreement. Mr Max Schrems, a privacy campaigner, questioned and contested these activities. The matter was later referred to the European Court of Justice in the case of Maximillian Schrems v Data Protection Commissioner [2015].
The Ruling of Maximillian Schrems v Data Protection Commissioner [2015]
The Agreement was ruled ‘invalid’ on 6th October 2015.
It was ruled that personal data should not be transferred to American firms on the sole basis that the firms were Safe Harbour-certified. In order for American firms to now export data, firms involved may have to sign ‘model contract clauses’. These clauses set out the American organisation’s privacy obligations which will ensure that the organisation has put in place ‘adequate safeguards for the rights and freedoms of data subjects’ pursuant to paragraph 9, Schedule 4, the Data Protection Act 1998 (‘DPA’).
The impact
The ruling affects the likes of social media sites and all companies which transfer data to servers based in America. Individual countries’ data regulators can now challenge transfers of data from Europe to America. Countries making use of cloud services will need to ensure that their actions are EU DPA compliant.
Should you have any questions about the above case, please contact John North, Claus Andersen or Tony Roberts.