Harbouring Doubts: EU/US Data Transfer Scheme Not So Safe

The spotlight on the PRISM programme has raised a range of privacy concerns, the latest of which is whether the current safe harbour arrangements which permit data controllers in the EU to transfer personal data to organisations in the US without breaching the Data Protection Act.  Our DP experts have previously wrtote that 'safe harbor' is potentially unsafe (particularly when using the cloud) and now the EU want to review the entire arrangement.  So, if you currently rely on 'safe harbor' or you're thinking of using it, this is for you!

The eighth principle of the DPA prevents personal data from being transferred/processed outside the EEA, which is a nightmare for most organisations who will work with service providers/utilise IT infrastructure which is located outside the EEA to store/process personal data.

Thankfully, there are some exceptions:

  • Secure the consent of each affected data subject to the transfer of their data to the US (but this isn't recommended, as by its nature, consent is revocable).
  • Undertake an assessment of adequacy of local laws in the destination country and put contractual, technical and organisational measures in place to ensure that data is subject to appropriate safegaurds (which is time-consuming, expensive and high-risk, particularly if you get the assessment wrong).
  • Use the EU model clauses (which is the most heavily utilised way of dealing with the restriction in practice but pretty 'clunky').
  • Choose a destination country which the EU has deemed to have appropriate privacy laws in place which offer equivalent protection to the DPA (e.g. New Zealand, Argentina, Canada, Switzerland.....or the US, provided that the recipient is registered with the 'safe harbor' scheme under which the recipient 'self-certifies' that it has appropriate safeguards in place).

The issue for organisations who arrange for personal data to be processed in the US (which may include customer/policy data or employee data, particularly in situations where services are outsourced or Software as a Service based platforms are utilised including HR and CRM systems) is that he 'safe harbor' scheme is viewed (and has been viewed for some time) by the EU privacy regulators with some concern. 

If you're thinking of using safe harbor, it would be sensible to consider the other available options (on the basis that a review of the current arrangements seems highly likely which may result in significant changes to the scheme or it disappearing altogether - we are told that it is under review at EU level and report will be concluded before the end of this year).  Similarly, if you currently rely on 'safe harbor', it would be sensible to identify and review those arrangements in the short-term and to look at migrating to another compliant way of dealing with the eighth principle.

The final twist on this issue is that the EU Justice Commissioner, Viviane Reding (a staunch supporter of data protection reform) is seizing on PRISM as 'a wake-up call' which clearly demonstrates the need for urgent data protection reform.  Things have gone fairly quiet on the new General Data Protection Regulation, but we expect to see a sharp re-focus on the Regulation in the next few months.  Acceleration of data protection reform is being strongly supported by France and Germany and Viviane Reding sees the reform of EU data protection law as the answer to the issues raised by PRISM, including the current safe-harbor regime.

It is worth noting that the current proposed regulation would have extra-jurisdicitional effect so that it would apply to data controllers and data processors who process EU citizens' personal data regardless of whether the controller/processor is based outside the EEA.  We've already seen in the case of 'WhatsApp', that some EU member state privacy regulators already believe that in some circumstances, US-based data controllers should already comply with the relevant EU state privacy laws.

So, in short, safe-harbor is risky from a data protection compliance perspective and it may soon disappear altogether.

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.