Cathrine Ripley reviews recent developments in data protection law, which call into question the adequacy of IT companies’ compliance programmes.
A fundamental principle of EU law is legal certainty. Arguably no other area of commercial law contradicts this principle more than the law of data protection and at no time have the rules on data privacy seemed more unfathomable than following the European Court of Justice’s ruling on a complaint brought by privacy activist, Max Shrems, on 6 October. The commercial world was already bracing itself for the final long-awaited enactment of a new European data protection regulation. Just one week earlier data privacy lawyers were digesting the impact of a European Court of Justice ruling on 1 October which, at least as regards multi-jurisdictional data service providers such as Facebook, reverses the erstwhile principle that compliance with data privacy rules and enforcement was only required in the country where it was established.
Under the Data Protection Act 1998 and the Data Protection Directive, “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”. To comply with this requirement, the EU and the US authorities agreed a Safe Harbour scheme to facilitate compliance by data service providers who transfer data to the US. Facebook is one such provider. Mr Shrems complained that, in the light of the revelations of US state intrusion by Edward Snowden, the data held on his Facebook account transferred to the US was not protected by the Safe Harbour scheme. On a referral from the Irish courts, the ECJ agreed with him and went on to confirm that the Irish, and any other national data protection authorities, are permitted to challenge by referral to the ECJ schemes even if agreed by the European Commission. The Safe Harbour scheme is therefore now invalid as it places the interests of national security, public interest or law enforcement over the adequate protection of personal data in the US.
There are some 3,000 organisations registered with the Safe Harbour scheme, who will now have to find alternative ways to ensure adequate measures are in place before they can continue to transfer data. Seeking individual consent is perhaps administratively untenable as such consent cannot be given in a general sense. It has to be explicit, fully informed and unambiguous. Almost as difficult at least for complex data transfer arrangements, is to agree model contracts and data transfer agreements which mirror the EU approved model contract clauses. For data transfer within group companies, a good option is to adopt binding corporate rules which guarantee the protections needed. Of course there is always the option of moving data processing activity to the EEA.
One difficult aspect of law change by the ECJ is that it comes with no transitional provisions or grace period, which is normally a feature of legislative change, and this fact is likely to be taken into account by the relevant data protection authorities. However, doing nothing is not an option and if any of the above strategies can be achieved without objective difficulty, then these steps should be taken. In the meantime, the EU/US were already in discussion over a new Safe Harbour scheme and this ruling from the ECJ is likely to add considerable pressure for early conclusion of those negotiations. One thing is certain, this is an area of law which is facing strong winds of change and an uncertain future.