As we reported in our October 2015 edition of the Isle of Man Regulatory Update, the Court of Justice of the European Union (CJEU) ruled on 6 October 2015 (the Schrems case – Case C-362/14) that organisations cannot rely on the European Commission approved Safe Harbor scheme when transferring personal data from the European Union (EU) to the United States of America (US).
The EU’s Data Protection Directive 95/46/EC (Directive) provides that personal data may only be transferred to a country outside the European Economic Area (EEA) if that country ensures an adequate level of protection for the data. This corresponds to the “Eighth Data Protection Principle” as it is set out in the Isle of Man’s Data Protection Act 2002. The European Commission has certified that a number of non-EEA countries do provide “adequate protection” and the Isle of Man is one of these jurisdictions (so called “adequacy decisions”). In relation to the US, the Commission developed so called “Safe Harbor” arrangements whereby US companies could be certified as providing adequate protection. It was a self-certification scheme operated by the US Federal Trade Commission and provided a US company had a Safe Harbor certification, the transfer of personal data to it was permitted and complied with the terms of the Directive.
Safe Harbor arrangements had come under increased scrutiny and criticism following Edward Snowden’s revelations in 2013 about US security agencies accessing personal data, all of which culminated in the CJEU’s decision in the Schrems case.
The Safe Harbor provisions underpinned a number of commercial arrangements and transfers between the US and the EU and it has been a difficult few months for many organisations to put in place replacement provisions. The other mechanisms to allow compliance with the Directive, such as use of EU Model Contracts and Binding Corporate Rules, still apply post the CJEU’s decision in the Schrems case. However, since the decision, the European Commission has been trying to develop a replacement to the Safe Harbour provisions and it announced the new arrangement for transatlantic data flows on 2 February 2016 – the EU-US Privacy Shield.