On 6 October 2015, the European Court of Justice ruled that the ‘safe harbour’ agreement for data flows between the European Union and the United States was invalid. The safe harbour agreement was set up some 15 years ago to facilitate easier transfer of data from the EU to the US and had previously allowed some 4,000 US companies storing customer data to self-certify their adherence to the scheme.
Following a complaint from an Austrian citizen, Maximillian Schrems regarding the way Facebook processes personal data, the ECJ held the safe harbor principles to be invalid. The ECJ provided a number of reasons for its decision, including that the agreement did not require all organisations entitled to access EU personal data to comply with EU privacy laws. The ECJ also expressed concerns that US authorities were able to gain access to personal data originating from the EU on national security grounds. While the ruling does not necessarily render the transfer of data between the EU and the US unlawful, it means that companies can no longer rely on the safe harbour agreement and must instead, for example, implement model contract clauses with each recipient of personal data prior to disclosing such personal data outside of the EU.
From an Australian perspective, trans-border flows of information are particularly fraught with issues. Organisations based in Australia that use US service providers to provide IT services, and particularly cloud-based services, may be impacted by the decision if data is hosted on US and/or EU servers and those service providers had previously relied on the scheme. Additionally, many believe that the decision likely further cements the EU’s position that Australian privacy laws do not ensure an ‘adequate level’ of protection of personal data transferred from the EU for the purposes of EU privacy law, by virtue of the fact that Australian laws provide that an act done or practice engaged in outside Australia does not breach an Australian Privacy Principle if the act or practice is required by a law of a foreign country.
Now that the dust has at least begun to settle on the decision, attention is being paid to a new arrangement being put in place to replace the now quashed safe harbour agreement. In fact, the European Commission’s vice-president, Andrus Ansip, has indicated that that a new agreement will need to be in place ‘within the next three months’. The Commission has also recently issued guidance to businesses now caught out by the ECJ’s ruling which confirms that the invalidity of the safe harbour agreement ought not necessarily prevent the transfer of data from the EU to the US, as other mechanisms are available.
In the coming weeks, US Senators are expected to vote on the Judicial Redress Act, that could give EU citizens the same legal rights as Americans if their data is mishandled within the US. This will likely at least go some way to appeasing the concerns of the European Commission.
We will, of course, keep you abreast of further developments.
61 2 9291 6178