Employment e-Brief: The Safe Harbour isn’t safe

Like all shark attacks this has a slow build up but a big bite…

The EU Data Protection Directive prohibits the transfer of personal data from the EU to third countries, unless those countries ensure an ‘adequate’ level of protection for such data.

The Commission established a system whereby US-based companies could certify their commitment to a set of data protection principles known as the ‘Safe Harbour’ framework which was accepted as ensuring an adequate level of protection.

The Safe Harbour framework has been widely relied upon by companies in the EU to legitimise the transfer of data to US based associated companies.

Following revelations that US intelligence agencies had been conducting mass surveillance of personal data stored and processed electronically in the US, an Austrian citizen brought High Court proceedings in Ireland, which referred the issue to the ECJ.

The ECJ has now held that the national data protection authorities of the Member States must be able independently to examine whether the transfer of personal data to a country outside the EU complies with the requirements of the EU Data Protection Directive.

The Court stated that the Safe Harbour principles apply only to US companies that sign up to them, not to the US public authorities, and that they are overridden by US national security, public interest and law enforcement requirements. It held that this did not ensure an adequate level of protection for personal data transferred to the US as required by the Directive.

The Safe Harbour agreement will now need to be revised and, in the meantime, companies that have been relying on the Safe Harbour framework will have to find other ways of doing so if they are to comply with the Data Protection Directive.

If you would like to discuss data protection rights then please contact a member of our employment department.