Transferring employees’ data to the USA may breach Data Protection Act
In a decision that could have important implications for UK employers which share employees’ personal data with US parent companies, the European Court has declared the EU-US Safe Harbor regime invalid.
The Data Protection Directive (implemented in the UK by the Data Protection Act 1998) requires organisations which collect the personal data of EU citizens to keep the data within the European Economic Area unless it is being transferred to a jurisdiction which ensures ‘adequate’ protection for the data.
One way in which adequacy can be established is to obtain a declaration of approval of a regime for protecting personal data from the European Commission. In 2000, the European Commission declared that the safe harbor scheme established with the USA provided adequate protection of personal data and since then the scheme has been widely adopted to permit transfers of personal data to US organisations certified under safe harbor scheme.
The safe harbor regime has come under mounting pressure following Edward Snowden’s revelations that US intelligence agencies have been collecting personal data relating to EU citizens that have been transferred to the USA under the safe harbor scheme.
The European Court has now ruled that this access and collection is inconsistent with the fundamental rights for the respect for private life and the protection of personal data as set out in the European Charter. It also declared that the lack of judicial oversight available to EU citizens interferes with the right of EU citizens to an effective remedy, also guaranteed by the European Charter. The European Court concluded that these infringements of the fundamental rights of EU citizens means that the safe harbor scheme does not ensure adequate protection of personal data as required by the Directive.
As a result of this decision, the Information Commissioner may be prepared to investigate complaints by UK based employees that their employers are transferring their data to the USA without ensuring adequate protection for their.
Employers sharing employees’ personal data with US parent companies may need to review their transfer arrangements and look to implement appropriate alternative compliance solutions in substitution for safe harbor.
If you would like advice about how the issues in this note apply to your situation, please contact Tony Brown on 01225 740097 or by e mail to firstname.lastname@example.org
Warning - this bulletin is provided for information only and is not a substitute for legal advice. You should obtain specific, personal advice about your circumstances and not rely on the information or comments in this bulletin.