Typically, when Irish businesses sought to transfer employee personal data to US based entities, compliance was usually granted provided the US entity was signed up to a “Safe Harbour” agreement. These agreements stated that the US companies storing customer data could self-certify that they adhered to 7 principles, in order to comply with the EU Data Protection Directive.
In 2000, the European Commission made the decision that this process of self-certification complied with the EU Directive, the so called “Safe Harbor” decision. However in the recent decision of Schrems v Data Protection Commissioner, the CJEU declared that these Safe Harbour principles did not ensure adequate data protection for individuals within the European Union. The EU and US were given three months in which to put a more effective arrangement in place.
This decision could particularly affect the large technology and social media companies, many of which have their global offices in Dublin. We therefore have advised clients to review their arrangements regarding the protection and transfer of employee data, to ensure compliance with the Data Protection Acts 1988 and 2003.
Further, on 1 February 2016, the EU-US Privacy Shield was announced, which has been announced as a framework for guaranteeing that European data is given the same protections when transferred to the US as in the EU. Despite this vaunted claim, the consensus seems to be that it was rather hastily put together in terms of the implementation arrangements that will be required, legal ramifications and ultimate enforceability. Like Safe Harbour, the Shield will operate by way of self-certification.
Impact on Employers
However, in theory, we are told that organisations will have to jump through some additional hurdles, including by way of the monitoring of their data transfer arrangements as well as the imposition of sanctions for non-compliance.
The US law enforcement and national security authorities will also apparently be limited in terms of their accessing of personal data, and individuals’ rights of redress will apparently be increased. The Shield itself is to be reviewed annually.
Arrangements to implement the Shield will not be finalised until May 2016 and it remains to be seen whether (once we have clarity on it) it will actually be adequate to address the ECJ’s concerns. In the meantime, we are continuing to advise our clients to take a conservative approach to the transfer of personal data.
For more articles from this edition of INNANGARD ALERT, click here
CC Solicitors (Ireland)
Tel: +353 1 662 5939