Are you a Google Apps user? Do you recall getting an email that began like this?
“Please note that the update below is relevant only if you process personal data and European Data Protection laws apply to that processing. This will often be the case if your business is based in the European Union. If you are unsure whether this applies to you, we suggest you seek advice from legal counsel.”
If so, did it make any sense to you?
That email came from a decision by Europe’s highest court. It declared the US-EU Safe Harbor Framework with respect to data privacy was no longer valid.
EU privacy laws and US privacy legislation: an uneasy mix
European Union (EU) privacy laws are thought to be stricter than United States Privacy legislation. Nonetheless, the EU made an exemption for US companies – as long as they provided for similar protection of personal data originating in the EU.
Most recently the EU said that the ability of companies to comply with the Safe Harbour frameworks was severely undermined by the Edward Snowden revelations about US National Security Agency surveillance of data in the US..
How did this get started?
Meet Maximillian Schrems, not your average Facebook user
The case was started by Maximillian Schrems, a resident of Austria and a Facebook subscriber. He complained to the Irish Data Protection Commissioner that it should prevent Facebook Ireland from transferring his personal data to the United States, because the US did not ensure adequate protection of personal data due to NSA mass surveillance.
The Irish Data Protection Commissioner primarily said that it did not have the authority to override the EU Safe Harbor framework, so Schrem then went to the Irish High Court. They disagreed. They said that Snowden had demonstrated significant over-reach by the NSA and referred legal questions to the European Court of Justice.
As of October 6, 2015 this has changed. As part of Schrems v. Data Protection Commissioner [2015], the European Court of Justice essentially agreed with the Irish High Court: the US government’s ability to access EU data, with EU citizens having no redress in the US, meant that companies in the United States, even if self-certified, would not be able to comply with Safe Harbour provisions.
Dealing with data transfers: US companies operating in the EU
This decision has significant impact on US companies operating in the EU, specifically EU/US data transfers, an essential part of modern digital commerce. The European Commission has now said that if companies adopt certain model contract clauses, it should suffice for allowing personal data to transfer between Europe and the United States.
I don’t find this very reassuring. The decision introduces a great deal of uncertainty for US companies. The US has been negotiating a Safe Harbour agreement with the EU, and the EU has said they will not be enforcing the decision until January of 2016. But January of 2016 is not far away; undoubtedly, this decision will prompt both sides to move faster.
What about EU-Canada data transfers?
How does this impact data transfers between the EU and Canada? The EU made a previous decision that found that Canada’s privacy legislation provides adequate protection of personal data. So this recent decision does not impact on Canadian data transfers to the EU. But if challenged, there is a possibility (albeit small) that a different decision would be reached.
Don’t relax entirely! This will not be the end of the story, as there may be follow-on decisions from EU authorities and/or a new Act to protect data transfers between the EU and the US.