Rely on the most comprehensive, up-to-date legal content designed and curated by lawyers for lawyers
Work faster and smarter to improve your drafting productivity without increasing risk
Accelerate the creation and use of high quality and trusted legal documents and forms
Streamline how you manage your legal business with proven tools and processes
Manage risk and compliance in your organisation to reduce your risk profile
Stay up to date and informed with insights from our trusted experts, news and information sources
Access the best content in the industry, effortlessly — confident that your news is trustworthy and up to date.
With over 30 practice areas, we have all bases covered. Find out how we can help
Our trusted tax intelligence solutions, highly-regarded exam training and education materials help guide and tutor Tax professionals
Regulatory, business information and analytics solutions that help professionals make better decisions
A leading provider of software platforms for professional services firms
In-depth analysis, commentary and practical information to help you protect your business
LexisNexis Blogs shed light on topics affecting the legal profession and the issues you're facing
Legal professionals trust us to help navigate change. Find out how we help ensure they exceed expectations
Lex Chat is a LexisNexis current affairs podcast sharing insights on topics for the legal profession
Printer Friendly Version
Tucker, Senior Consultant at Anexsys Ltd, considers cross-border eDisclosure and personal data in the light of Schrems, which invalidated the Safe Harbour framework.
Citizens of the EU are protected from having their personal data transferred to territories outside the EU, unless it is transferred to a location which is deemed to have “adequate” privacy protections.
The current EU data protection regime is based on Directive 95/46/EC, which requires each Member State to enact data protection legislation that is at least as rigorous as the rules set out in the Directive. The UK, for instance, has implemented
the Directive by the Data Protection Act 1998.
The ‘safe harbour’ agreement that was made between the EC and the US government essentially promised to protect EU citizens’ data if transferred by American companies to the US.
It allowed companies, such as Facebook, to protect EU citizens’ data by self-certification and was binding under U.S. law and enforceable by the U.S. Federal Trade Commission.
Importantly, in the context of dispute resolution, and although a less than perfect solution, it was sometimes relied upon to facilitate the transfer of data to the United States in support of cross-border eDisclosure exercises.
The recent Schrems decision has invalidated the Safe Harbour framework, and to much fanfare. The decision was not totally unexpected though and some have expressed surprise that the regime had lasted so long.
The background to Schrems lies in the United States’ PRISM intelligence gathering programme which grants U.S. authorities access to data stored and processed in the United States, including data held under the Safe Harbour regime. Such access
was found to compromise “the fundamental right to respect for private life”.
Schrems leaves a hodgepodge of rules and uncertainty in place, but this is not really anything new.
Transfers of data / documents containing personal information, which previously relied on Safe Harbour for legitimacy, may now find themselves the subject of investigation and enforcement action by national data protection authorities (DPAs).
On 19 October 2015, the Article 29 Working Party (a body comprised of representatives from each DPA and the European Data Protection Supervisor), issued a statement which, amongst other things, confirmed that Safe Harbour is invalid but that Standard Contractual Clauses and Binding Corporate Rules can still be used as a basis for data transfers, “in the meantime”, whilst the Working Party continues its analysis on the impact of the Schrems decision.
Pending the outcome of this analysis and if no appropriate solution is in place by the end of January 2016, DPAs will take all necessary and appropriate action, which may include coordinated enforcement action. DPAs will put in place appropriate
information campaigns at a national level however.
On 6 November 2015, the European Commission issued guidance summarising the alternative ways to transfer personal data to the United States in compliance with existing data protection laws. These included contractual solutions, intra-group transfers
and the derogations set out in Article 25(6) of the Directive.
As mentioned above, Standard Contractual Clauses or Binding Corporate Rules may still be used as a basis for data transfers. Where these provide no sound basis for the transfer of personal data, the following derogations and solutions may help for
the purposes of eDisclosure:
Dominic Tucker is a Senior Consultant at Anexsys Ltd, a leading provider of outsourced eDisclosure and litigation support services to law firms, corporations and government departments.
0330 161 1234