Attention all data exporters: data transfer to the US under suspicion. Urgent measures required
The Court of Justice of the European Union (CJEU) has declared that the European system of international data transfer to the USA known as the “Safe Harbor” scheme, is invalid, considering that it violates individuals’ privacy. The decision has had a significant impact on all multinational groups and organizations that transfer data to the United States.
The controversial judgment, delivered on 6 October by the CJEU overturns Decisión 2000/520, on the “Safe Harbor” deal which authorized personal data transfer from the European Union to US companies that guaranteed an adequate level of protection and complied with the privacy regulations of Member States.
According to the Court, the principles on which the Safe Harbor scheme was based only apply to business corporations, and not to state agencies or US government bodies as they risked invading European citizens’ privacy based on “national security, public interest and law enforcement requirements of the United States” without there being effective state regulations or legal mechanisms in place to limit that type of interference.
The Court holds that the US data protection policies in terms of public interest and national security fail to comply with the data protection principles of the European Union. The Directive 95/46, imposed clear and precise rules on how to protect citizens from abusive, unjustified and disproportionate interference in their private lives from public authorities.
Up to now the Spanish Data Protection Agency (AEPD) accepted mere notification by the data controller (without any authorization requirement) of data transfer to the USA, provided that the company importing the data adhered to the Safe Harbor scheme. As a result of the Judgment, there are now a number of issues left hanging, such as the measures that national data protection authorities should now take in respect of international data transfer to the United States already authorized, or future data transfer requests.
As the AEPD has indicated in a press release issued on its website, European regulators plan to take joint action to establish the criteria for applying the resolution in a standardized manner throughout the EU.
Until the legal situation is clarified and the European national authorities take a stance on their joint course of action, data controllers are advised to remain proactive and attempt to seek solutions which will reduce the risks and impact of the practical application of the judgment. Such measures could include compiling detailed lists of all the international transfers carried out, meticulously reviewing data assignment agreements with US businesses, checking that they have taken into account Standard European Clauses, and ensuring that the US importer fulfils the security requirements laid down by European Law.
Department of Technology & Outsourcing Garrigues