Updating our blog of 9th October, the end of January 2016 will mark the date point where EU data protection regulators could start prosecutions for any erroneous transfer of EU individuals’ personal data from Europe to the US – unless a replacement to the Safe Harbour Agreement is rapidly agreed.
The heat is firmly on in Brussels now to find a workable solution and fast, as the ramifications facing up to 4,500 US companies (not just tech firms) in transferring data across the Atlantic to Europe now means organisations could face 20 or more different sets of national data-privacy regulations to replace the Safe Harbour Agreement which had been in place for 15 years.
The NSA’s mass data collection originally highlighted by the Edward Snowden leaks in a case brought by law student Max Schrems against Facebook, prompted the European Court of Justice (CJEU) court ruling on 6th October 2015. This now looks set to massively disrupt the international eco system for data transfer, legal adherence and sovereign user assurances. The regulators emphasised that the question of mass and indiscriminate surveillance was central to the CJEU’s decision and a replacement data transfer agreement would have to provide “stronger guarantees to EU data subjects” accompanied by “clear and binding mechanisms” and “oversight of access by public authorities“.
The main points
• Individual European countries can now set their own regulation for US companies’ handling of citizens’ data, vastly complicating the regulatory environment in Europe (Russia recently introduced a new data law demanding data on Russian citizens was stored within Russia).
• Countries can choose to suspend the transfer of data to the US — forcing companies to host user data exclusively within the country.
• The Irish data regulator (host nation for Facebook and Microsoft’s European data centres), has now agreed they will examine whether Facebook offered European users adequate data protections – and it may order the suspension of Facebook’s transfer of data from Europe to the US if so.
Privacy lawyer Dr Susan Foster of Mintz Levin commented: “Consent has to be explicit and freely given” — which causes a headache for another key use of Safe Harbour, the transfer of employee data. “In many countries in Europe you can’t rely on consent from employees, because employees are understood not to have free choice.” An employee may feel pressured into consenting, so such a consent would not be a valid basis for the transfer. “A lot of multinational companies with employees in Europe rely on Safe Harbour because they don’t feel they can rely on consent, quite rightly.”
A new dawn awaits data controllers across Europe. The upshot is likely to be one filled with more model contract clauses and a greater emphasis on risk based analysis surrounding data transfer. But whatever the outcome, from 1st February 2015, ‘ignorantia juris non excusat’ – roughly translated: ‘ignorance of the law is no defence ‘. Businesses beware!