Under the Data Protection Acts 1988 and 2003 (the DPA) Irish entities are restricted from transferring personal data to organisations in the US unless it either: (a) has express consent from the data subjects themselves; or (b) avails of one of the exemptions recognised in this jurisdiction by the Data Protection Commissioner (DPC) namely the use of;
(i) Binding Corporate Rules (BCRs)
(ii) Model form of contract (Model Contracts); or
(iii) The Safe Harbour Rules (the Rules)
By far the exemption most used in Ireland is the Rules. In July 2000 the European Commission (the Commission) declared that any US company signing up to the Rules would be deemed to provide an adequate level of protection for personal data. The Rules were thus designed to bridge the gap between Europe’s stringent data protection rules and the US’ more laissez faire approach. Any organisation which signs up to the Rules is obliged to declare to the US Commerce Department that they’re meeting European standards of data protection. The organisations however, are not compulsorily subject to any independent verification.
This system of “self certification” came under close scrutiny in 2013 following the sensational revelations made by whistle-blower Edward Snowden with respect to the PRISM programme. Mr. Snowden revealed that the National Security Agency (NSA) has unrestricted access to EU citizens’ personal data held by US entities despite such entities guaranteeing data privacy by signing up to the Rules.
The Snowden revelations prompted the EU’s civil liberties committee to propose a resolution to abolish the Rules. The resolution included an admonition of the regime noting that “proper oversight of data protection should not depend on journalists and whistleblowers”. The resolution was passed by the European Parliament. However, the Parliament’s resolution does not affect the validity of the Rules as only the Commission can renegotiate the Safe Harbour Framework.
In response to mounting pressure, the Commission issued 13 recommendations to improve the functioning of the Rules, and called upon U.S. authorities to adopt these recommendations by summer 2014. This deadline came and past without resolution, with US authorities unwilling to provide acceptable guarantees on national security access.
While negotiations are still ongoing between the Commission and US authorities, DPCs in member states are losing patience. At a recent data protection conference in Berlin, Dr. Dix the DPC for Berlin stated that:
“The Safe Harbour agreement is practically dead, unless some limits are being placed to the excessive surveillance by intelligence agencies”.
Dr Dix confirmed that the German DPAs in Berlin and Bremen have initiated administrative proceedings against two U.S. companies that base their data transfers on the Rules. In addition he stated that both DPA’s have expressed their intention to suspend data transfers to these entities for a limited time.
Here Judge Hogan in the High Court in the recent case of Schrems v DPC accepted that the Snowden revelations undermine the legitimacy of the Rules. He noted that the protection of personal data is now enshrined in the European Charter of Fundamental Rights. He questioned therefore whether it is incumbent on national DPCs to look behind the commission’s decision with respect to the Rules in circumstances where a legitimate complaint is made against them. Judge Hogan referred this question to the European Court of Justice (ECJ) which is hearing the case this week. The validity of the Rules therefore hangs on the ECJ’s ruling.
In light of all of this discontent with and uncertainty around the Rules, Irish organisations should consider other options to safely transfer personal data to US entities. Identifying the most appropriate option requires an analysis of the business and operations of the relevant organisation. Those options include:
- 1. Obtain express consent in advance from the data subject to the transfer
To do this the Irish entity must ensure firstly that the data subject:
a) gives their consent freely and explicitly;
b) knows and understands what they are agreeing to;
c) has been told the reason for the transfer;
d) knows the country to which the information will be transferred; and
e) has been made aware of the risks to her personal data caused by the transfer.
- 2. Adopt the EU approved model contracts
Option 1 is not available when the data subjects’ personal data has already been collected. Accordingly, putting in place a form of contract approved by the European Commission as a means of ensuring an adequate level of protection may be the only option available to the Irish entity.
This approach imposes a contractual obligation on the parties to provide an adequate level of legal protection for personal data transferred between Ireland and the USA (or indeed anywhere outside the EEA).
In essence, all parties have to warrant and undertake that they have complied with data protection standards which meet the requirements of the DPAs in respect of the data being transferred.
- 3. Adopt Binding Corporate Rules
Finally, a multinational company with operations inside and outside the EU can use what is known as ‘Binding Corporate Rules’ (“BCRs”) to allow for international transfers of personal data within a global corporate entity. The principal benefit of BCRs is that the company does not have to sign up to standard contractual clauses each time it needs to transfer data to another member of the group.
BCRs are the preferred method of legitimizing the transfer of personal data and secure consumer and business partner confidence. The downside however, is that BCRs are only useful for large multinationals as they cannot be used to transfer data to companies outside of the group. Furthermore, establishing BCRs can be a complex and lengthy process. An application for approval of the BCRs must be submitted to and approved by the data protection authority of the EU Member State where the company has its headquarters, or main EU centre of activity. In the case of an entity whose EU headquarters is based in Ireland, the Irish Data Protection Commissioner would have to approve any BCRs put in place.
Contact Eoin O’Cinneide for more information.
This publication is for guidance purposes only. It does not constitute legal or professional advice. No liability is accepted by Ogier Leman for any action taken or not taken in reliance on the information set out in this publication. Professional or legal advice should be obtained before taking or refraining from any action as a result of the contents of this publication. Any and all information is subject to change.