No Safe Harbour? Immediate Implications for Employers

A landmark decision of the European Court of Justice (ECJ) has held that companies may no longer rely on “Safe Harbour” to justify transferring personal data from the European Union to the US, because the US Government has a right of access over all data held in the US.  The decision related to user data held by Facebook, but the decision has ramifications for multinational employers who hold employee data on US HR information systems, or transfer data in order to make management or HR decisions in the US.

Below, we answer some common questions from clients.

Does the ECJ’s decision apply in all of the European Union member states?

Yes, the ECJ decisions apply to all European member states with immediate effect.  The ECJ decided that the national data protection authorities in each of the Member States should make their own decision as to whether “safe harbour” is in fact “safe” — rather than relying on the Commission decision of 2000 which approved “safe harbour” from all the EU countries to the US.  This means each authority can now take a different view: some authorities (like the UK Information Commissioner) are typically more pragmatic, while other authorities take a stricter approach (such as the French CNIL or the Data Protection Commissioners in Germany).

Does a case concerning the personal data of a Facebook user apply in the employment context?

Yes, the same data transfer principles apply whether transferring customer or employee data.  However, the risk in practice of challenge by employees is always lower than when handling external data.  It is difficult to see on what basis damages could be assessed for the transfer of data in an employment context.

We don’t rely on Safe Harbour - does this case apply to other forms of transfer?

Safe Harbour is just one of the permitted routes to transfer personal data to outside the EU.  Other methods include consent, binding corporate rules and EU model clauses.  Given the US Government has a right of access over all data held in the US, there is a question over whether employees could also challenge these other transfer routes.

Employers could also continue to transfer personal data to the US under one of the other exceptions, for example:

1. The employee’s informed consent to the transfer.  However, an employee’s consent can be revoked at any time, and it is questionable whether an employee’s consent can ever be freely given in the employment context, even at the time of recruitment before the individual becomes an employee.
2. The transfer being necessary for the performance of relevant contractual obligations.  This could include an employer’s obligations under the employment contract (for example processing salary and benefits), although there may also be an argument that the transfer to the US is not the only way in which these obligations could be carried out.

What should we do now?

The Information Commissioners Office (“ICO”) in the UK has said that employers relying on Safe Harbour should review their approach, but acknowledges that it will take employers time to do this.  It also stated that it will be working with its European colleagues to produce consistent guidance following the ECJ ruling.  Although employers will want to look into alternative options for transfer, none is failsafe.  A better pragmatic option is likely to look at limiting transfers of the most sensitive employee personal data and wait for consistent guidance from the national Data Protection Commissioners — and for the EU and the US to finally agree a new Safe Harbour framework, which was under negotiation even before this ECJ decision.  This may however not be achievable in practice.