On 6 October 2015, the Court of Justice of the European Union declared the safe harbor decision – a scheme which endorsed the protection of personal data transferred from the European Union to complying United States undertakings – invalid. The landmark decision was set in motion by an Austrian citizen who brought a complaint to the Irish subsidiary authority, objecting to his personal data being transferred from Facebook’s Irish subsidiary to the United States.
The European Commission’s Directive on Data Protection prohibits the transfer of personal data to non-European Union countries that do not meet the European Union’s (EU) ‘adequacy’ standard for privacy protection. While the United States (US) and the EU share the goal of enhancing privacy protection for their citizens, the two countries have different approaches when it comes to safeguarding personal data.
In order to bridge these differences and in order for US organisations to satisfy the Directive’s ‘adequacy’ requirement, the US Department of Commerce, in consultation with the European Commission, developed a ‘safe harbor’ framework (Safe Harbor). By subscribing to the US-EU Safe Harbor framework, US organisations are able to satisfy EU organisations that there is ‘adequate’ privacy protection, as defined by the Directive.
Maximillian Schrems, an Austrian citizen created his Facebook profile in 2008. Some or all of the personal data of EU Facebook users, such as Schrems, is transferred from Facebook’s Irish subsidiary to the US. Schrems lodged a complaint with the Irish Supervisory Authority, claiming that the US did not offer adequate protection against US public authorities’ scrutiny of personal data.
On the strength of the Safe Harbor decision, the Irish Supervisory Authority found that the US offered adequate protection to EU citizens’ personal data. The case was then brought before the High Court of Ireland, which, in turn, referred various questions to the EU’s highest court.
The Court of Justice of the European Union (CJEU) declared the Safe Harbor scheme for data transfer to the US invalid. It ruled that the decision did not afford EU citizens adequate protection primarily because US public authorities were not obliged to adhere to the built-in protections of the scheme. In addition, the CJEU pointed out that US public authorities, such as the US’s National Security Agency, are encourage to disregard the protections afforded by the scheme where “national security, public interest and law enforcement,” demand it. The concomitant effect is that the Safe Habor scheme allowed US public authorities to interfere with the fundamental rights of EU citizens.
In the employment context, the affected companies would be:
- US parent companies which hold data from data subjects in the EU or which obtain data from sources in other parts of the world via Europe;
- HR service providers storing personal data in the US; and
- once the Protection of Personal Information Act, No 4 of 2013 (POPI) comes into force, South African companies transferring data to US companies will have a similar difficulty.
There are alternative options to comply with the European Directive and national legislation such as:
- the use of approved model contract clauses;
- binding corporate rules in respect of intra company transfers;
- employee consent although not a complete solution; and
- temporarily not transferring data pending a solution between the national data authorities and the EU.
In planning for the enactment of the remaining sections of POPI, South African companies should bear the consequences of this judgment in mind, whether they “Like” it or not.