On 6th October, the European Court of Justice declared as invalid the well-established accreditation system, called Safe Harbour, for transferring personal data from the EU to the United States.  The basis for the decision was the lack of protection for personal data in the US, particularly in the wake of a series of revelations about how personal data was being accessed by US government agencies.

The original court case related to a disgruntled Facebook user who objected to his personal information being stored in the US.  But the court’s decision affects the thousands of companies, including relocation management companies, which rely on Safe Harbour to conduct their day to day business.  These businesses are now engaged in implementing new solutions which will offer alternative legal protection for their EU to US data flows, while politicians on both sides of the Atlantic attempt to agree a new version of Safe Harbour which will comply with EU privacy law.

Safe Harbour only ever applied to data transfers to the US, so the court’s decision has no direct impact on transfers from the EU to other countries.  However, the underlying issue – the EU’s insistence on high standards of legal protection (and individual consent) for personal data which is transmitted out of the EU – is relevant to all businesses which rely on such data transfers.

The EU maintains an approved list of countries which provide “adequate protection” of personal data.  So far, only Switzerland, Guernsey, Argentina, Isle of Man, Faroe Islands, Jersey, Andorra, Israel, New Zealand and Uruguay have been approved in full.  Canada has been approved for certain types of personal data.  The EU Commission has also approved the transfer of advance airline passenger data to the US, Canada and Australia.

However, the scope of the exemptions which apply to the Australian Privacy Principles means that, at the present time, Australian privacy law is not considered to provide an adequate level of protection for personal data from the EU.

This means that personal data transfers from EU countries to Australia must be protected by one of the specific methods approved by the EU Commission.  These are:-

  • For internal data transfers (within a group of companies) – implement corporate rules for transferring data, in the form of EU-approved Corporate Binding Rules;
  • For 3rd party data transfers – incorporate EU-approved Model Contract Clauses in all contracts with 3rd parties which make reference to the transfer of personal data.

See also an earlier Safe Harbour article: http://www.morton-fraser.com/knowledge-hub/transferring-personal-data-europe-new-challenges-us-corporations

For further information, please contact Gordon Kerr, Director, Employee Mobility Unit, Morton Fraser LLP gordon.kerr@morton-fraser.com