EU data legislation and Safe Harbour: what now?
14 March 2016 | 0
“Different companies move data in different ways, and there are different kinds of data. Some companies are multinationals and they transfer data on their own employees from one side of the Atlantic to the other. But of course there’s also the more famous kind of data which is being collected on citizens,” said McGarr.
“At a certain point, this is almost congruent with everyone. When you add up the total number of adults in Europe who use Facebook and/or Google and/or Amazon and/or Yahoo and/or Microsoft products during the course of a day, you hit a very large proportion of the adult population of Europe.”
The death of Safe Harbour does not make it exactly illegal to transfer data across the Atlantic but it does make it much more complicated.
“Safe Harbour was only one of a number of means by which you could ensure that the transfer of personal data was lawful,” said Mark Rasdale, intellectual property and technology partner with A&L Goodbody.
“So for example if somebody consented to the transfer of personal data, and really there’s a whole load of other issues to think about there, but if you consented then that would be a lawful transfer. If it was necessary for the performance of a contract, then that would also be a lawful transfer.”
Standard form contract
There are also other means, such as the use of what are termed model contracts and clauses. These are model clauses that are approved by the European Commission to be used to create a standard form contract that will provide for a certain level of protection and therefore render the transfer lawful.
“So Safe Harbour was never the only means, but it was a convenient means for a lot of companies, particularly US companies, which were doing a lot of business with Europe. But it’s worth saying that there has been a lot of political discussion and negotiation as a result of the European Court’s decision,” said Rasdale.
“There is a lot of concern amongst businesses as regards where this is going. The open question from the perspective of those companies who were relying on Safe Harbour was ‘Well if the court has said it’s no longer valid what do we do next?’.”
“And what a lot of companies have been thinking about is – well we need to find an alternative way to ensure that the transfer of our personal data is lawful until such times as Safe Harbour is replaced with something.”
If a company that previously relied upon Safe Harbour to cover its international data transactions has not made the effort to replace that with an alternative method, then it is on legally dubious grounds, according to Olive McDaid, solicitor and certified data protection practitioner with Ward Solutions.
Don’t panic, don’t rush
“It’s a very grey area. Safe harbour no longer applies so technically, yes, it’s illegal to move data across the Atlantic, but the relevant data protection agencies are adopting a wait and see approach on this. The advice now is generally don’t panic and rush to change things because we’re in a sort of limbo. It’s also worth noting that the other options for transferring data, whether it’s the agreed model clauses or the binding corporate rules — there’s still a question mark over whether the Schrems decision also invalidated them.”
“The advice we’re giving is don’t rush to change anything but now is not the time to be complacent either. Now the thing to do is take stock of where you’re at — what data are you actually transferring out of the EU, where is it going to and what are the current arrangements that you have in place? What level of protection is around that data and is it appropriate? Are there other options you could pursue, such as getting explicit consent to transfer that data outside the EU?”
According to McDaid, one effect of the safe harbour decision has been to prompt renewed attention on corporate governance in this area.
“We’re seeing companies going through their security governance and their data governance so auditing and reviewing their current arrangements to see if there is anywhere where they can reduce their risk. The big question is can you transfer your data just within the EU or can you reduce the amount of data you’re transferring and get it covered by explicit consent,” she said.