• wblogo
  • wblogo
  • wblogo

'Safe habour' personal data transfers from EU to US are no longer legal

Kirsten Thompson and partners, McCarthy Tétrault LLP, Partner, Toronto, 29 October 2015

articleimage

In view of the Snowden revelations about the American Government's law-breaking surveillance of practically everybody in sight, the European Union's highest court has ruled that it is no longer acceptable to transfer personal data – including presumably account and KYC data – from the EU to the US by means of a long-standing mutual 'safe harbour' deal.

On 6 October, in the highly anticipated case of Schrems v Data Protection Commissioner, the Court of Justice of the European Union (CJEU) declared that the US-EU “safe harbour framework” is invalid, striking it down. The decision took effect immediately, with far-reaching and widespread implications for private banks, asset management companies, multi-family offices and advisory firms with multinational data flows.

Since EU data protection laws purport to apply to the processing of personal data regardless of whether the individuals in question are citizens of EU countries or not, or are physically present in the EU or not, this decision does not just affect financial firms with an EU clientèle. Any firm that makes use of equipment located in a member-state to process personal data is at risk.

Flying in the face of the establishment

Max Schrems, a law student and privacy advocate from Austria, sued Facebook in Ireland, asserting that mass surveillance by outfits such as America's National Security Agency, as revealed by Edward Snowden, infringed his privacy. The 'safe harbour framework' invites major American organizations to certify that they are providing an "adequate level of protection for privacy and fundamental rights and freedoms" in compliance with EU privacy laws and awards them an exemption from those laws in return.

When asked for his opinion, the Irish Data Protection Commissioner originally rejected the case on the grounds that the European Commission (the unelected group of civil servants that draws up all EU laws and represents the nearest thing that the EU has to an executive branch) had already told everybody that it thought that the 'framework' was compliant. The High Court of Ireland, when asked, referred the question of the legality of the 'safe harbour framework' to the CJEU, which concluded that it was incompatible with EU privacy law.

Apparently, some elements in the US Government (although not the NSA) are still claiming that surveillance agents monitor people's communications in a legal rather than an illegal way; this had no bearing on the CJEU's decision. It found an “original safe harbour decision” invalid on the grounds that self-certifying organizations "are bound to disregard" fundamental privacy rights when they conflict with the “national security and public interest requirements” or laws of the United States. This finding thus renders illegal any transfer of personal data from the EU to the United States that is based solely on 'safe harbour' self-certification. The CJEU's ruling is final, with no avenue for appeals. There is no guarantee that there will be a new agreement.

Banks with servers in the US or EU at risk

Many banks have relied on service providers self-certifying under the 'safe harbour framework' for cloud-based data storage operations. Since Article 4 of the EU Data Protection Directive gives EU data protection authorities jurisdiction when a 'controller' is not established on EU territory if the controller "makes use of equipment, automated or otherwise, situated on the territory of [a] member-state", the Schrems decision could also apply to any organization using a cloud network with EU and US-based servers, even if the personal information connects to US residents.

A Canadian angle

In addition to the immediate ramifications related to finding and implementing alternative options to the 'safe harbour framework,' the decision raises the question of whether Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and EU-Canada data transfers may be in line for a similar setback in view of the similar ability of Canadian authorities to access networked information on a national security basis.

What to do now?

Banks and other private client firms must now review alternative options for data transfers. These mechanisms include model clauses, binding corporate rules, anonymization, and express consent. The 'model clauses' approach uses a standard, pre-approved form of language, approved by the European Commission, for data transfers, while the 'binding corporate rules' approach requires the crafting of a binding policy governing related internal entities making international data transfers. This, like the use of model clauses, is time-consuming. Other approaches include obtaining express consent, which must be prior, unambiguous, and voluntary. Because of this, however, it will be almost impossible to obtain such consent in relation to personal information that has already been collected. At this difficult moment, no option seems particularly easy.

Latest Comment and Analysis

Latest News

Award Winners

Most Read

More Stories

Latest Poll