Search our news, events & opinions

8 December 2015 0 Comments
Posted in Employment, Opinion

Transferring data to the US: no “safe harbour”

Posted by , Partner

Do you transfer customer data to the United States as part of your business? If you do, you should be aware of the recent European Court of Justice decision.

transferring data

Austrian law student, Max Schrems, had used Facebook since 2008. As is the case for all Facebook users in the EU, the data he provided through Facebook was transferred from Facebook’s Irish subsidiary to the United States, where it was processed. Following Edward Snowden’s revelations in 2013, Mr Schrems was concerned that the US could not ensure adequate protection of his data against surveillance by US public authorities. He asked the Irish Data Protection Commissioner (DPC) to prevent Facebook in Ireland from transferring his data to the US.

The DPC however took the view that the transfer of Mr Schrems’ data to US was covered by something called the “safe harbour agreement”, so no further action was needed. Mr Schrems’ challenged the DPC’s decision and the case has proceeded to the European Court of Justice.

What is the “safe harbour agreement”?

Data Protection law provides that the transfer of personal data to a third country can only take place if that third country ensures an adequate level of data protection. The “safe harbour agreement” was an agreement between the EC and the US government that promised to protect EU citizens’ data that was transferred to the US. It allowed companies such as Facebook to transfer an individual’s data to the US.

The ECJ decision

The ECJ has now ruled that an individual’s personal data should no longer be transferred to companies in the US solely on the basis that they are safe harbour-certified. The safe harbour agreement that allows the transfer of European citizens’ data to the US is no longer valid.

What does this decision mean for your business?

For 15 years, businesses who transfer data to the US have relied on the safe harbour regime and will now need to consider alternative ways of covering data transfers to the US.

This may mean:

  • getting the express consent of your staff to transfer their personal data
  • updating your employment contracts and policies to deal with data protection outside of the EU
  • having a written agreement with the company in the US you’re transferring the data to.

If you would like to discuss this issue, or any other employment law matter, please get in touch with our specialist Employment & HR team.

0800 051 8054     Email usemp.enquiries@roydswithyking.com

Leave a comment

Thank you for choosing to leave a comment. Please keep in mind that comments are moderated and please do not use a spammy keyword or a domain as your name or it will be deleted.

*required*

**required*

*optional*

Employment

It pays to employ the right employment solicitor

Learn more

Partner

T: 01793 847 722 (DDI)
Email

Search our news, events & opinions