My Guest Blogger Eric Levy is a senior attorney in Gardere’s Trial Practice Group who specializes in complex litigation with a focus on technology and Internet eCommerce related issues.
The European Court of Justice (ECJ) ruled on October 6, 2015 in the case of Schrems vs. Data Protection Commissioner that the access enjoyed by the US intelligence services to the transferred personal data of EU residents constitutes an interference with the right to respect for private life and the right to protection of personal data, which is contrary to the principle of proportionality because said surveillance is mass and indiscriminate. It further adjudged that Safe Harbor is invalid and that Data Protection Commissions in individual member states should investigate companies to ensure that their information handling practices comply with that state’s data protection laws.
In 1995, the EU passed the European Data Protection Directive – a series of principles designed to protect individuals with regard to the processing and free movement of their personal data. Among other things, the Directive permits the transfer of personal data to a country outside of the EU only if that country ensures an adequate level of data protection. The US ensures that level of protection via Safe Harbor, a program run by the Department of Commerce. If a US company is certified as Safe Harbor compliant, it can store the personal information of EU residents on US servers.
Schrems, an Austrian citizen and a Facebook user since 2008, alleged that Facebook should not be allowed to transfer the personal information of it subscribers from its Irish servers to servers in the US. In the light of revelations made in 2013 by Edward Snowden concerning the activities of United States intelligence services like the NSA, Schrems contended that the law and practices of the United States, including Safe Harbor, offered no real protection against surveillance by the United States of personal data transferred to that country. On October 6, 2015 the ECJ agreed with him.
The implications for US companies wishing to transfer the personal data of EU residents to America are staggering. Instead of having to comply with the requirements of one data protection regime (Safe Harbor), said companies will potentially have to deal with twenty-seven different sets of rules and regulations governing such transfers. This may be less of an issue once the EU enacts new data protection regulations later this year, but these new regulations will likely be much stricter than current local member state laws, with no guarantee of a Safe Harbor equivalent embedded within them. Given the uncertainty that is likely to ensue over the next year or so, US companies might want to consider turning to alternative methods of guaranteeing the security of personal information, such as model contracts or Binding Corporate Rules (BCRs).