Transfers of Personal Data from EU/EEA Countries

On 6 October this year, the European Union’s judicial body, the Court of Justice (ECJ), ruled, in the case of Schrems v [Irish] Data Protection Commissioner, that the “Safe Harbour” agreement between the US and the EU, which has allowed personal data to be transferred legally between EU countries and the US for 15 years and which some 4,000 US companies currently rely on, is invalid.

For the purposes of personal data transfer, EU law applies also to transfers from the three other countries which, with the EU, make up the EEA, Iceland, Liechtenstein and Norway, so references in this note to “EU” include those three countries.

What is “personal data”?

Data which relates to a living individual who can be identified from that data, including any expression of opinion about the individual, and any indication of the intentions of the data controller or any other person in respect of that individual. For example, much of the information held by companies about their employees will constitute personal data.

What the ruling means for EU-US personal data transfers

The ruling means that, in the vast majority of circumstances, personal data cannot now be transferred legally from a company within the EU to a US company (absent a specific consent to the transfer from the person whose personal data is being transferred (the data subject)) unless:-

• so-called “Binding Corporate Rules” have been put in place within a corporate group, which have received prior approval from the relevant national data protection regulator. The aim of Binding Corporate Rules is to implement safeguards within the group, such that the rights of the data subject will not be prejudiced as a result of the transfer to the US; or
• a binding data transfer agreement is put in place between the data transferor in the EU (the data controller) and the data recipient in the US which contains standard contractual clauses for the transfer of personal data issued by the European Commission. The terms of such an agreement are subject to approval from the relevant national data protection regulator.

Implication of Schrems for transfers of personal data from the EU to other countries

UK law, in common with that in other EU countries, provides that personal data must not be transferred to a country or territory outside the EU unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to processing of personal data.

A very limited number of countries are recognised by the EU as providing such a level of protection.

In the case of most other countries, it is likely to be illegal under national law for a company to transfer personal data to a company outside the EU, absent specific data subject consent, or Binding Corporate Rules or a data transfer agreement being in place.

As a result of Schrems, there is likely to be considerably more scrutiny by EU national authorities of personal data transfers to non-EU countries, particularly where there is any question that, as was indicated by the ECJ in Schrems, the fundamental rights of EU citizens in relation to protection of personal data might be put at risk because “national security, public interest and law enforcement requirements” override what are considered to be proper safeguards in the data recipient’s country.

It is, accordingly, very important that, where any company is transferring personal data outside the EU, it assesses thoroughly the data protection regime in the data recipient’s country, which, in most cases, is likely to mean that Binding Corporate Rules or a binding data transfer agreement must be in place to allow legally-compliant personal data transfer to occur.