The leaking of classified documents by former CIA employee Edward Snowden in 2013 made global headlines. Opinion remains divided on whether Snowden betrayed his country or whether he should be celebrated as a whistle-blower.
A recent decision of the European Court of Justice (“ECJ”), which stems indirectly from Snowden’s revelations, may have caused a headache for UK employers who transfer their employees’ personal data to the US, for example by storing the details of UK employees on a computer system in the US.
In the EU, it is illegal to transfer personal data to a country outside the EU unless those countries ensure an adequate level of protection for the privacy of that data. Since July 2000, an international agreement known as the Safe Harbour Agreement has been used to facilitate the transfer of data to the US. Companies wishing to transfer data between the EU and US could certify their compliance with the data protection principles set out in Safe Harbour, and this was recognised as an adequate level of protection.
But this week the ECJ held that the Safe Harbour agreement is invalid. The complaint which led to this decision was made to the Irish Data Protection Commissioner by a privacy campaigner. The campaigner requested a decision that Facebook’s EU subsidiary (based in Ireland) should not be allowed to transfer his personal data to the US. This followed the disclosure by Snowden that US intelligence agencies had carried out surveillance on personal data held by Facebook’s US parent company. The Irish Data Commissioner initially found that Safe Harbour provided sufficient protection and declined to investigate the complaint further. The campaigner appealed to the Irish courts and the matter was referred to the ECJ.
The ECJ held that because the Safe Harbour agreement is overridden by US law, which allows its intelligence agencies to access personal data, it failed to give sufficient protection for the transfer of personal data. The case will now return to the Irish courts and the decision could lead to requests for the Information Commissioner in the UK to investigate similar complaints.
The decision may present problems for UK employers who transfer personal data to the US. Ostensibly, they can no longer rely on Safe Harbour to comply with the Data Protection Act and so may need to make alternative arrangements in order to be compliant with the Act and EU law.
The decision was not unexpected and negotiations regarding an amended Safe Harbour agreement which will meet EU requirements have been ongoing for some time. It is expected that these negotiations will be speeded up as a result of this case.
For further advice on this issue please contact a member of our Employment Team.
Please read Reliance on information posted in our Terms of Website Use - see Legal section - before relying on this commentary