Ross McKenzie: What next for safe harbour?

Yesterday’s decision by the European Court of Justice ruled that the “safe harbour” scheme which permits transfers of personal information to US companies is invalid.
Ross McKenzie, data protection practitioner at Burness PaullRoss McKenzie, data protection practitioner at Burness Paull
Ross McKenzie, data protection practitioner at Burness Paull

This means that, in the absence of any other steps, transfers of personal information across the Atlantic under the scheme are in breach of European data protection laws. This has pretty major implications for businesses, for the most part in the IT world who host personal data on computer servers in the US.

The finding is not surprising. The decision has brought to a head the sabre rattling from the European authorities over the last couple of years especially after the Snowden revelations.

Hide Ad
Hide Ad

Given the gravity of decision, it is unlikely that the UK’s Information Commissioner (who enforces the privacy regime in Scotland) will immediately take enforcement action. The rules have been in place for 15 years and this is against the background of a new regulation coming along in the next few months. There’s a lot to get to grips with.

If you do rely on the scheme, you should start to consider how the decision will impact your business, and begin to record these considerations in case the regulator comes knocking. In particular, IT or cloud computing services which you may use from time to time may use safe harbour for hosting data in the US. I would not be surprised if suppliers of services like this will be preparing for questions from their customers about what alternative options could be used.

The EU does provide alternatives which permit a business to transfer personal information to the US. The most commonly relied-upon route to validating a transfer is consent of the data subject. Another popular route to achieve compliance is using a form of model contractual clauses between the exporter of the information and the importer which are a set form of words approved by the data protection authorities.

I typically see businesses “layering up” methods to legitimise a transfer using a number of options to ensure that transfers are compliant with the regime.

It will be interesting to see what lobbying will follow by the digital powerhouses like Google, Microsoft and Facebook particularly when personal information is at the core of their business. The ever-evolving right to privacy continues to protect, and challenge us, in our digital world.

Ross McKenzie is a data protection practitioner at law firm Burness Paull