On October 6, the European Court of Justice (ECJ) ruled that the Safe Harbor Framework fails to provide adequate protections to European Union (EU) citizens, a move that dismantles the 15-year-old framework and replaces it with much uncertainty about the practical implications of cross-border data transfer.
While the ruling had not been expected for three months, the ECJ acted swiftly to endorse the opinion issued just two weeks ago by the European High Court, who agreed with Austrian Facebook member Maximillian Shrems that Safe Harbor does not protect EU citizens from mass surveillance by US intelligence agencies.
The ECJ invalidated Safe Harbor partly because it places national security and law enforcement interests above the fundamental right to privacy, “so that United States undertakings are bound to disregard, without limitation, the protective rules laid down” by Safe Harbor. The ECJ further noted that data review by intelligence agencies is based on no objective or measurable criteria and that EU citizens have no avenue to challenge the use of data held about them.
The judgement puts increased pressure on EU Data Protection Authorities (DPAs), as they now will be responsible for reviewing every citizen complaint regarding data transfer to the United States.
What This Means to backgroundchecks.com Clients and Their Candidates:
While the ECJ ruling has sent the business and privacy communities into a swirl of uncertainty, it is uniformly agreed that it unlikely that DPAs will suddenly come knocking. There is currently bi-partisan legislation before Congress that would provide remedies to EU citizens with privacy act complaints and negotiations on Safe Harbor 2.0 have been underway for the past two years. We expect extended debate on the topic.
It is important to note the ECJ judgement does allow for data transfer to countries without adequate privacy protections under certain exceptions. The most significant one for clients using international services is where “the data subject has given his consent unambiguously to the proposed transfer.” Of the 28 EU countries that have adopted legislation implementing the EU data protection directive, all but Romania have explicitly adopted this exception.
Therefore, backgroundchecks.com suggests that organizations obtain explicit, written consent from the data subject to information about the data subject being sent to the United States.