SUMMARY: Employers who transfer employees’ personal data to a US office should be aware that they can no longer rely on the Safe Harbor decision to comply with data protection laws.
A recent European ruling means that the Safe Harbor decision is invalid. Since then, employers have wanted to understand what this means in relation to transferring employees’ personal data; below are some frequently asked questions.
Q1: What is the Safe Harbor decision?
The Safe Harbor decision previously enabled certified organisations to transfer personal data from the EU to the US without breaching European data protection laws.
The Snowden revelations about the US National Security Agency’s surveillance of data held by Safe Harbor participants meant that Safe Harbor’s credibility was seriously undermined. The revelation indicates that the US is not ensuring an adequate level of protection for personal data.
Subsequently, the European Court of Justice (ECJ) has held that the Safe Harbor arrangement is invalid.
Q2: Does the ECJ’s decision concern our organisation?
Personal data transfers between the EU and the US
If your organisation transfers personal data between the EU and the US it will be of concern; you can no longer rely on the Safe Harbor decision when transferring such data.
The European Commission is attempting to agree a new Safe Harbor package but has not given any time frame for finalising this.
Continuing to transfer data on this basis therefore carries a level of risk. We suggest ways in which you can manage risk in relation to this at question 3.
Personal data transfers within the EU
If your organisation only transfers personal data within the EU, this decision will not affect you.
Q3: If we cannot rely on the Safe Harbor framework, what are the alternatives?
EU organisations should now consider alternatives to the Safe Harbor when transferring personal data to the US. These include:
1. Having an employee’s informed express written consent. Consent may, however, be withdrawn at any time. Note that it may be considered unfair to make it a contractual requirement for an employee to consent to a transfer of his/her data to the US.
2. Implementing the following:
- Model contracts – contracts adopted by the European Commission which provide standard wording for the transfer outside the EU; and
- Binding Corporate Rules – a set of approved internal Codes of Conduct. The EU’s Article 29 Data Protection Working Party have developed a number of documents to assist.
3. Anonymising or pseudonymising data exported from the EU to the US.
A paper trail should always be kept of any steps taken.
Q4: What are the possible sanctions if we transfer personal data to the US without appropriate alternatives in place?
Legal sanctions in the UK, if the organisation breaches data protection legislation, include:
- a fine of up to £500,000;
- the Information Commissioner taking enforcement action against the organisation; and
- conviction for a criminal offence (which could result in an unlimited fine).
Organisations should also be aware that a breach of the Data Protection Act 1998 is likely to result in damaging adverse publicity and individuals could bring a civil claim against the organisation.
For more details about the issues in this article or if you would like a data protection policy, which we advise all organisations to have, please contact:
+44 (0) 808 172 93 22
This update is for general guidance only and does not constitute definitive advice.