Safe Harbour is no refuge

One of Europe’s most senior lawyers has today declared the EU-US Safe Harbour regime invalid in the light of the Snowdon revelations about mass data surveillance in the USA. This has profound implications for organisations transferring personal data to the US or importing personal data from Europe.

The Data Protection Directive (95/46/EC) requires organisations that collect personal data relating to EU citizens retain such data within the EEA unless it is being transferred to a jurisdiction which ensures ‘adequate’ protection for such personal data.

In 2000 the European Commission declared that Safe Harbour provided adequate protection of personal data and since then the scheme has been widely adopted to justify transfers of personal data to US organisations certified within Safe Harbour.

However, in 2013, widely publicised revelations by Edward Snowden detailed the ability of US intelligence agencies to undertake mass and indiscriminate surveillance without effective judicial oversight, including accessing personal data relating to EU citizens which had been transferred to or stored in the US.

Today, it has been declared that this collection of and access to personal data in the US is inconsistent with the fundamental rights for the respect for private life and the protection of personal data as set out within the European Charter and that the lack of judicial oversight and process available to EU citizens in respect of such data collection and access also interferes with the right of EU citizens to an effective remedy, (also guaranteed by the European Charter).

The issue in point here is whether the safe harbour regime as a whole is consistent with the requirements of the Data Protection Directive and the European Charter in light of the Snowden revelations.

This issue will be finally determined by the Court of Justice of the European Union (CJEU) in due course. In the meantime organisations transferring EU personal data into the US should make sure they review their arrangements and look to implement appropriate alternative compliance solutions as a back-up.

Leave a Reply

Your email address will not be published. Required fields are marked *