Safe Harbour provided a certain amount of comfort for UK businesses storing or processing customer data in the US that their practices were compliant with UK data protection laws, and free from the risk of regulatory intervention and fines. But all that changed on 6 October 2015 when the Court of Justice of the European Union (CJEU) declared Safe Harbour invalid.
The judgment has its origins in June 2013, when Edward Snowden published allegations of indiscriminate, mass surveillance by the US National Security Agency. This prompted Max Schrems, an Austrian law student and privacy campaigner, to begin legal action the same month against Facebook in Ireland to try and prohibit the transfer of Facebook's European users' data to the US.
As part of these proceedings, the Irish High Court asked the CJEU to consider whether it was open to the Irish Data Protection Commissioner to revisit the question of whether the US provided an adequate level of protection in the light of Safe Harbour. The CJEU confirmed that it was, but the Court went further than this and ruled that Safe Harbour was itself invalid.
The Court was strongly critical of the laws governing data protection in the US, both the indiscriminate gathering of intelligence and the lack of legal redress to the individuals affected:
"Legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life ...
Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection."The Court therefore concluded that Safe Harbour was not agreed on the basis that the US ensured an adequate level of protection by reason of its domestic law or its international commitments and was therefore invalid.
In truth, Europe has been on a collision course with the US over Safe Harbour ever since the Snowden revelations, which included allegations of US surveillance on several prominent European leaders.
But where does that leave the business community?
A Commission press release issued after the judgment gives assurances that Europe will continue to work towards "a renewed and safe framework for the transfer of personal data across the Atlantic" and indeed Safe Harbour renegotiations have been underway for some time.
In the meantime, while it undoubtedly creates unwanted uncertainty, the demise of Safe Harbour does not automatically mean the transfer of European data to the US flouts data protection laws. Such transfers are lawful where the data subject has provided freely given and informed consent, for example. Moreover the inclusion of prescribed (and somewhat cumbersome) model clauses authorised by the UK Information Commissioner's Office in any relevant contract governing the transfer of data will be deemed to amount to an adequate level of protection. The ICO can also approve so-called Binding Corporate Rules governing intra-group transfers. Further guidance is likely to be forthcoming from the Commission and the ICO in the near future.
US companies like Facebook and Microsoft are already claiming that their services remain compliant with European data protection laws notwithstanding the ruling on Safe Harbour. But businesses would be well-advised to seek independent reviews of their arrangements with these and other US suppliers, and to consider putting alternative contractual arrangements in place if necessary.