The decision related to the European Union’s (EU) safe harbour structure for cross-border data transfers from the EU to the United States was invalidated by the Court of Justice of the European Union (CJEU) on October 6, 2015. Due to this, companies involved in the transfer of personal data of European Union residents to the United States are uncertain regarding the legitimacy and legality surrounding data transfer practices.
Understanding the safe harbour
European data protection laws are quite stringent in nature, compared to anywhere else in the world. These laws require companies to have rigorous requirements in order to collect, process, or transfer personal data related to the residents of the EU. To make it clear, personal data can be defined as information that can be used as an identifier for a natural person. So, in general, the EU law allows the transfer of EU residents’ personal data to non-EU countries only if an “adequate” level of data protection is provided.
A recipient can ensure an adequate level of data protection using multiple methods, but EU-US Safe Harbour has been the most popular method. This is because the EU-US Safe Harbour provided a faster and a much more streamlined process for U.S. companies to demonstrate compliance with the data protection laws of the EU. For an organisation to take advantage of the Safe Harbour, all it had to do was annually self-certify with the U.S. Department of Commerce and agree to adhere to several privacy principles, which included notice, choice, and access. The organisation alsohad to demonstrate its adherence to the principals by joining a self-regulatory program or developing a self-regulatory policy of its own. After being certified, the company was free to freely transfer personal data from the EU to the U.S. Companies in the U.S. heavily relied on the Safe Harbour to comply with EU’s data protection laws. However, the Safe Harbour has been criticised for not doing enough for the privacy of EU citizens.
Understanding the CJEU Decision
The EU-recognised safe harbour principles were invalidated by the CJEU. The chief reason was the large-scale access by intelligence agencies to data that was transferred to the United States by Safe Harbour certified companies. This implied that the domestic surveillance practices put in place by the United States compromised the confidentiality of the data being sent to the U.S. from EU.
According to the court’s decision, the European Commission has failed to establish that the United States can provide a secure environment for the transfer of EU residents’ personal information. Hence, there is no requirement for the national data privacy regulators in the EU to recognise the Safe Harbour as a means to comply with EU data protection laws.
Considering the judgement passed by the CJEU, Canadian businesses which used to rely on the Safe Harbour for transfer of personal information about EU residents to the U.S. will have to adopt other means available in order to ensure compliance with the EU Data protection compliances.
For now, all that can be done is to monitor future decisions of EU data protection authorities. It is uncertain for now to assume that any other safe harbour like structures will come into existence.
To get a better idea regarding the compliance laws and legislations related to personal data in Canada, get in touch with Prowse Chowne.