Major legal framework change for personal data transfers to the U.S.

European Court of Justice (ECJ) rules Safe Harbor framework as invalid

Are personal data transfers to the U.S. allowed?

Many European companies transfer personal data to the United States (US). They can do so knowingly (e.g. when transferring data to group members) as well as unknowingly (e.g. if data is stored in the cloud and/or backed-up on servers in the US).

In accordance with EU laws, personal data transfers from the EU to the US are permitted, but only under certain specific conditions. Transfers were considered allowed if the personal data recipient in the US adhered to the so-called Safe Harbor framework amongst others. This framework consists in a series of principles concerning the protection of personal data to which US enterprises may subscribe voluntarily and under which the US recipient shall be considered as offering an adequate level of protection for personal data by EU standards. Many companies rely on Safe Harbor when transferring personal data to the US.

What has changed?

The European Court of Justice (ECJ) now held in a ruling dated 6 October 2015, that the EU Commission’s adequacy decision, approving the Safe Harbor framework, is invalid. The Safe Harbor framework is considered not in line with EU laws, as it amongst other elements, compromises the fundamental right to respect for private life, by allowing US public authorities to have access, on a generalised basis to the content of electronic communications. Also, the fact that individuals do not have any possibility, in the USA, to pursue legal remedies in relation to their personal data, is not in line with EU laws.

Consequently, the Safe Harbor framework is found to be invalid and can no longer serve as a legal basis for the transfer of personal data from the EU to the US.

What does this mean for companies?

It is key to verify the stream of personal data within a company.

If the company or a contracted personal data service provider transfers personal data to the US or in case personal data service providers on which the company relies do so, the legal basis for such transfers must be verified. In the event the company, the USA recipient or the service provider relies on Safe Harbor, other options have to be used.

Pending further guidance from national data protection authorities, such as the Belgian Privacy Commission, the most efficient option is to make use of the European Commission’s Standard Contractual Clauses. These clauses bind the data exporter (the European company transferring data) and the data importer (in this case, the US recipient) and are (almost) automatically considered as sufficient safeguards in light of applicable data protection rules (subject to prior review of national data protection authorities in certain cases).

Multinationals can also implement Binding Corporate Rules (BCR). BCR are internal codes of conduct ratified by the different data protection authorities involved in the transfer.

In limited cases, it is possible to rely on the individual’s unambiguous consent to the transfer of his/her personal data to the US. However, this exception must be interpreted restrictively and cannot constitute the normal framework for massive and repeated data transfers.