• Contact Us

The ECJ Holds that the US Safe Harbor Framework is No Longer Valid

on Friday, 16 October 2015.

Latest Employment Blogs

Guidance published by Government and ACAS on the new right to statutory carer's leave

EAT upholds tribunal's decision to reject race discrimination claim despite error in reasoning

Termination of employment for breakdown of working relationship fair despite lack of process

The DfE has recently published new guidance relating to significant changes for academies

Updated government guidance clarifies new holiday pay rules for salaried term-time only workers

The European Court of Justice has ruled that 'Safe Harbor', the legal basis used by many businesses and public sector organisations for the transfer of personal data to the US, is invalid.

The Safe Harbor Framework Decision

EU Data Protection law permits the transfer of personal data outside of the EU only where the recipient country can ensure that there is an adequate level of protection for that data.

Until now, US-based companies have been able to register with the 'Safe Harbor' regime, certifying their commitment to a set of data protection safeguards prescribed by EU law. UK-based employers have been able to rely on a US-based company's registration with Safe Harbor as demonstrating the 'adequate level of protection' required.

In a case brought against Facebook by an Austrian citizen, Max Schrems, the ECJ has now held that the Safe Harbor arrangements do not provide adequate protection for the privacy of EU citizens. It is up to the authorities in individual EU member states to examine whether the protection afforded in each case is adequate.

Best Practice

This decision will have a significant impact on UK-based employers that either have US parent companies or use outsourced services with US-based servers. Services affected will include, amongst others:

  • payroll administration
  • CRM systems
  • cloud storage
  • email & website services

The Information Commissioner's Office (ICO) has recommended that all organisations transferring personal data to the US review their existing arrangements to ensure that adequate protection is provided. It has indicated that it will take some time for organisations to carry out those reviews and put new systems in place.

It is advisable to keep an eye on the ICO website for further advice and guidance which may be published.

In the absence of Safe Harbor, there are a number of alternative methods of achieving compliance when transferring personal data to the US. For example, one way to achieve compliance would be to use the European Commission model wording for overseas transfers of personal data which contains provisions around data protection compliance and security.

If you transfer personal data to the US, including by using such tools as Google Drive, Microsoft 365 or other cloud storage, we would also recommend that you review your current arrangements as a matter of urgency.

For more information, please contact Serena Tierney on 020 7665 0817, or Andrew Gallie on 0117 314 5623.