One of the primary requirements of the European Data Protection Framework is that personal data of European citizens must not be transferred to a country which is outside of the European Economic Area unless the country to which the personal data is to be transferred “ensures an adequate level of protection”; this is provided for within Article 25 of the 1995 Data Protection Directive and is given effect to in the UK in the form of the eighth data protection principle in Schedule 1 to the Data Protection Act 1998.
The United States of America has, for some time, been a somewhat contentious destination for personal data of European citizens. The European Commission and the United States Government sought to assist the flow of personal data between the EU and the US through a scheme called “Safe Harbour”. This scheme was challenged and in 2015 the Court of Justice of the European Union held that the European Commission’s decision in respect of the “safe harbour” scheme was invalid.
The Court of Justice’s decision on safe harbour came following a request for a preliminary ruling by the Irish High Court. This followed a complaint to the Irish Data Protection Commissioner by an Austrian citizen, Max Schrems, in respect of Facebook. Under Facebook’s terms and conditions all of its users in Europe have a relationship with ‘Facebook Ireland’ and as such, it falls to the Irish Data Protection Commissioner to regulate the use of personal data by Facebook.
Following that decision the European Commission and the US negotiated a new scheme, known as “Privacy Shield”. There has been much debate about whether privacy shield is itself adequate and a challenge, also by Max Schrems, is underway. The Irish Data Protection Commissioner sought from the Irish High Court a reference to the Court of Justice of the European Union and today the Irish High Court has agreed to make the reference.
The Irish Data Protection Commissioner has, the court decided, identified a number of “well founded concerns” and that the introduction of the Privacy Shield Ombudsman mechanism does not “eliminate” those concerns.
Although this is an Irish case, the outcome of a decision from the Court of Justice of of the European Union could have profound consequences for data controller’s right across the European Union. In the event that the Court invalidates the privacy shield agreement, data controllers who are reliant upon it will find themselves in a situation where their compliance with data protection laws will be in doubt.
The exact questions which will be referred to the Court of Justice of the European Union by the Irish High Court are yet to be determined and the judge in the case will be addressed by parties on this issue in due course.
This is certainly a case that data controllers (and indeed data subjects) should keep a close eye on. Data controllers who transfer personal data from the EU to the United States of America should think about reviewing their transfers and assessing whether they would continue to be permitted, within the context of the EU data protection framework, in the event that privacy shield is invalidated by the Court of Justice of the European Union in due course.
If you would like advice or assistance on a data protection/privacy matter, or any other information law matter, then you can contact Alistair Sloan on 0345 0345 450 0123. Alternatively, you can send him an E-mail.