Safe Harbour Demystified - Top 10 Need To Knows Following Schrems v Facebook

The new case of Schrems v Facebook has led to a quite a bit of commentary in the world of data, the US and well, Facebook. So what should you know, what do you have to do and where is the ruling and the model contract clauses so you can read them yourself?

1. What must you do before this ruling?

You can’t transfer data outside of the European Economic Area unless there is an adequate level of protection.  (Directive 95/46/EC).

2.What must you do after this decision?

Errm…the same.

3. So which countries are safe?

You can of course transfer data within the European Economic Area willy-nilly. The EEA consists of the 28 European Union countries:

Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland (very important), Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom

And three others:

Liechtenstein, Norway, Iceland.

There are other countries which the European Commission (under permission from the European Parliament) can determine as having adequate protection. These are:

Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay

And previously – but no longer (that’s what this whole thing is about after all!):

 “The US Department of Commerce’s Safe Harbour Privacy Principle” (click for a link to the US site explaining it).

(You can find here a link to the EC page which contains those countries which have been deemed to have adequate protection, but helpfully, it is out of date for the current ruling.)

None of these agreements cover data in law enforcement by the way.

4. Why is Ireland important?

Because not only is it within the EU but it is where many US data operators tend to land. This includes Facebook, Google, Dropbox, Microsoft, Amazon, Apple, ebay, Linked-In, Twitter, Yahoo.

5. What is Safe Harbour then?

When the Directive came into force in 1998, it won’t come as any surprise that large amounts of data were transferred to and from the tech innovation giant that is the US.

Rather than have every organization in the US have its adequacy tested, the Safe Harbour agreement was created by the US Government which set out a number of principles. If a US company publically complies with those principles, i.e. puts it on their website (participation of which is entirely voluntary), the company can self certify as complying with Safe Harbour.

Then, under a decision in 2000, the European Commission put the companies in the US that signed up to Safe Harbour on the adequate protection list above. (Decision 2000/520/EC - you can find the original Safe Harbour ruling here).

6. So what does this new ruling say?

It’s all about the US. It says, that Decision 2000/520/EC is invalid, i.e. those US companies self certifying as complying with Safe Harbour - which would mean they would be considered to automatically provide adequate levels of protection - can no longer be presumed to so do. There is no automatic inclusion therefore within 'adequate level of protection'  for any firm in the US.

7. So why is Ireland so important?

Quite apart from the good stout, this case was bought by Maxillian Schrems, an Austrian living in Austria using Facebook which is based in Ireland, which sometimes sent data back to its server in the US.

He said, given the revelations by Edward Snowden that the NSA in essence access data indiscriminately, that his national data body should look into banning Facebook’s transfer of data to the US from Ireland. They refused to even look into it, citing 2000/520 and Safe Harbour i.e. that it must automatically offer a safe level of protection. Max asked the European Court of Justice to take a look, they did and they decided that 2000/520 is no longer good law.

8. What are your (or Facebook’s) options now?

There are three things you can do:

a) Don’t transfer data to the US, or don't use a company which does;

b) Rely on your own adequacy assessment

"UK businesses don’t have to rely on the Commission's decision on adequacy." That is not our view, it is the view of the Information Commissioner's Office, which you can see here.

c) Rely on one of the derogation or exceptions.

9. What are the derogations or exceptions?

Sometimes it's worth setting out the original legislation. These derogations, which you can use, are set out in Article 26 (or the Schedule to the Data Protection Act 1998):

a) the data subject has given his consent unambiguously to the proposed transfer; or

b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject’s request; or

c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or

d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or

e) the transfer is necessary in order to protect the vital interests of the data subject; or

f) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case; or

g) a member state may authorise a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.

10. How might the above derogations apply in practice?

Firstly, check where your data is going. Big service providers, even the likes of Microsoft, Google and Dropbox, change their policies all of the time. If you are providing the service youself, or relying on others, this is really what the above means:

a) Consent: to get the client’s consent, it should be in a contract that you are going to transfer their data. The Data Protection Act 1998 (which embodies the EU Directive) doesn't define consent but it is defined in the directive as "…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed."

b) Pre-contractual Information: you run a holiday company for example and you need to know if the hotel you block book with can cope with a wheel chair in a particular room, because your client has asked you, it’s okay to ask that hotel in Hong Kong (although you wouldn't need to pass on their name and address at that stage);

c) Performance of Contract: so, when the same client says "yes, please book that hotel", you will obviously need to tell the hotel their name;

d) Legal Duty: you go on holiday to France, all of your party drive the same camper van which you own, and you get the speeding ticket. It’s okay to say give them the name and address of who was in fact driving;

e) Publicly Available Data: this doesn’t mean any data you can get - think electoral rolls, that sort of thing.

f) Contractual Clauses: you can set out a number of contractual clauses with the companies you use, for example in the US, which provide adequate protection. Helpfully, there are a standard set of model clauses set out by the EC available here.

There we are!

The advice from the ICO is ‘Don’t Panic’ (see the link in 8b above) and needlessly switch to less than ideal transfer mechanisms (that doesn’t mean do nothing!) but rather to watch out for Safe Harbour 2.0 which many hope will emerge in the next few months.

You can find the full text of Schrems v Facebook here.