Until recently it was widely accepted in the EU (following a decision in 2002) that, under the EU/US “Safe Harbor” scheme, the US ensured an adequate level of protection of any personal data transferred to it. Accordingly, companies have transferred personal data from the European Union to the United States in compliance with the European Union's Directive on Data Protection. However, a recent European Court ruling has found that the Commission’s 2002 decision is invalid.

The Case

As is the case for many European Facebook users, Austrian user Maximillian Schrems’ personal data was transferred from Facebook’s Irish subsidiary to servers located in the United States. Following the revelations by Edward Snowden in 2013 relating to the US government’s surveillance activities, Schrems brought a legal challenge before an Irish court challenging his rejected complaint before the Irish data protection regulator. He claimed that the law and practices of the United States offer no real protection against surveillance by the United States of the data transferred to that country. The Irish authority rejected the claim, basing their reasoning largely on the Commission’s 2002 adequacy decision.

The High Court of Ireland referred the case to the European Court to ascertain whether the Commission's finding of adequacy has the effect of preventing a national supervisory authority from investigating a complaint alleging that the country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.

The European Court’s ruling

The European Court ruled on the 6 October 2015 that:

• the Commission did not have the power to restrict national data protection regulators’ ability to suspend data transfers and carry out investigations of complaints against a particular country;

• allowing public authorities to have access to persona data compromises the fundamental right of the person; and
• national security, public interest and law enforcement in the US prevail over the requirements of the "Safe Harbor" scheme, allowing interference by US public authorities.

The Court further ruled that the Commission’s 2002 decision is invalid, stating that “This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the Directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data”.

This could potentially be an administrative nightmare as US companies may find themselves in a position where they have to adhere to numerous national data authority rulings. The European Commission has said that it would issue "clear guidance" in the coming weeks to prevent local data authorities issuing conflicting rulings.

What are the implications for businesses?

Businesses should no longer be relying on the US “Safe Harbor” scheme to transfer data to the US. However, this does not mean that a transfer to the US is no longer possible as there are other ways to transfer data and ensure that it is transferred legally.

A review of all transfer of personal data to the US should be undertaken and other ways to transfer it considered, such as getting both parties to sign up to the model contract clauses. The Information Commissioner’s Office (“ICO”) provides guidance on this here. Another method for transfers within a corporate group is by using binding corporate rules. Obtaining the free and informed consent of the individual is a further option, but this must be carefully considered if being used on its own.

In a statement the ICO stated that they recognise that it will take businesses some time to conduct such a review, with the message being that although relying on the “Safe Harbor” scheme to transfer personal data is now illegal, the ICO may be understanding of allowing a period in which to get affairs in order.