• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

EU-US Safe Harbor decision ruled invalid

The Court of Justice of the European Union (“CJEU”) has today stated that the Safe Harbor framework is invalid. This bold decision is likely to have immediate and serious implications for EU businesses that share personal data with the US.

Background

It is a fundamental right of the European Union that individuals have the right to respect for private life (Article 7), the right to protection of personal data (Article 8) and right to an effective remedy and fair trial (Article 47). As part of that protection, EU data protection laws prohibit the transfer of personal data out of the EEA unless that country offers an “adequate” level of data protection through its domestic law. As a country, the US does not meet the EU adequacy requirement and therefore EU businesses cannot legally transfer personal data to the US. However in 2000, the European Commission decided that certain US businesses that self-certify their adherence to the Safe Harbor principles offer a suitable level of protection for European personal data (Decision 2000/520).

However following Edward Snowden's revelations in 2013 about US National Security Agency surveillance of data held by Safe Harbor certified companies, Safe Harbor's credibility was significantly undermined. Despite criticisms from the European Commission and the European Parliament that Safe Harbor does not provide adequate protection, the Safe Harbor scheme was not formally retracted; instead the European Commission has for several years been negotiating a Safe Harbor reform package with the US Department of Commerce.

Max Schrems and Facebook

The judgment delivered today relates to an Austrian student and privacy activist, Max Schrems. Schrems complained to the Irish Data Protection Commissioner that the Safe Harbor scheme did not protect EU citizens against mass surveillance of their data held by US companies certified as Safe Harbor compliant. His particular complaint related to the transfer of his personal data to the US by Facebook’s Irish subsidiary to servers in the US that were Safe Harbor certified. The Irish Data Protection Commissioner did not investigate the complaint because the European Commission had declared that Safe Harbor was a legitimate way of transferring personal data to the US in compliance with data protection laws.

Schrems did not stop there – he contested this decision of the Irish Data Protection Commissioner and the Irish High Court referred the matter to the CJEU. In particular the CJEU was asked to clarify whether national data protection authorities are bound by decisions of the European Commission.  

Last week Advocate General Yves Bot stated that Safe Harbor is an invalid way of sharing personal data. He stated that US authorities have been accessing EU citizens’ data held by Safe Harbor companies in the “course of mass and indiscriminate surveillance” and EU citizens have no effective judicial redress. Additionally the Advocat General has stated that Safe Harbor does not contain enough safeguards to protect EU citizens’ fundamental right of data protection. While the opinion of the Advocate General is not binding on the CJEU, it appears that in this instance they have decided to follow him.

The CJEU’s ruling makes it clear that data protection authorities are required to examine any claim that the transfer of personal data out of the EEA is not in compliance with EU law “with complete independence” regardless of any decision by the European Commission. However only the CJEU can invalidate a decision of the European Commission. The CJEU went on to state that national security, public interest and law enforcement requirements in the US prevail over Safe Harbor principles, so that US companies are bound to disregard Safe Harbor when they conflict with such requirements. Thus Safe Harbor enables interference by US public authorities with the fundamental rights of EU citizens. Additionally access by US authorities to personal data of EU citizens on a “generalised basis” further compromises the fundamental right to respect for private life. Also the lack of legal remedies available to individuals impinges on the individual’s fundamental right to effective judicial protection. Therefore the CJEU concluded that Safe Harbor is invalid. The Irish Data Protection Authority must now examine Schrems’ case and determine whether Facebook’s transfer of personal data to the US affords an adequate level of protection.

What is the impact of this decision?

Without doubt, the companies that will feel the greatest impact from this decision are EU businesses that rely on Safe Harbor to transfer personal data to the US for processing. These businesses are likely to find that continuing to rely on Safe Harbor will likely mean that they will be in breach of EU data protection laws. Therefore it would be prudent for such companies to immediately review their existing data transfer arrangements with the US and consider what alternate solutions for sharing personal data with the US can be put in place.

There will no doubt be significant impacts for US-based companies, in particular large Cloud and IT service providers, who will be facing concerns (and likely contract amendments) from their European customers. They will be preparing to address those concerns and assist their customers.

What are the alternative options?

  • Model clauses. In the short term, model clauses are a sensible option. Model clauses are a set of standard contractual clauses to be entered into by an EU data exporter and the US data importer. As model clauses have been approved by the European Commission, they cannot be amended or negotiated. However model clauses may not be the most practical solution for US businesses as they will need to execute a separate model clauses agreement with each of their EU customers.
  • Binding Corporate Rules (“BCRs”). If companies are sharing personal data with their US group companies only, they may consider putting in place BCRs. As BCRs can be a time consuming process (normally taking about 18 months) and only apply to group companies, it will not be appropriate for all transatlantic data transfers, but once in place this solution offers more flexibility. Some suppliers may also implement BCR for processors, but again, this will not be a quick fix.
  • Anonymising data. It may be worth considering whether it is truly necessary to share the personal data with the US companies. If the same business objective can be achieved through using anonymous data then the data transfer would fall outside the scope of EU data protection laws. It is worth noting that true anonymisation can be quite difficult to achieve, so companies should review the regulators’ guidance about anonymisation to ensure that the personal data has been sufficiently anonymised.
  • Consent. Data protection laws do contain various “derogations” that would allow the transfer of personal data from the EU to the US. The most pertinent is if the individual has given his/her unambiguous consent to the transfer of their personal data. It is worth noting that consent has to be specific, informed and freely given.
  • Assessments of adequacy. Uniquely, UK data protection laws allows UK data controllers to carry out an assessment of the adequacy of the protection afforded by the non-EEA jurisdiction that is receiving the personal data. This will involve the data controller carrying out and documenting a risk assessment to determine whether the proposed international data transfer will provide an adequate level of protection for the rights of the individuals. As mentioned, this adequacy assessment is only permissible under UK laws, and the assessments may still receive some regulatory scrutiny.

While it is too soon to say how data protection authorities will interpret and act on the decision of the CJEU, it does seem unlikely that the invalidity of Safe Harbor will be immediately enforced. However, EU companies that are in on-going negotiations with US businesses should carefully review the data protection provisions in the contracts and ensure that the transfer of personal data does not depend on Safe Harbor, and all should review and consider their transfers.

The decision of the CJEU may help to expedite the on-going negotiations between the EU Commission and the US Department of Commerce for reforms to the Safe Harbor framework. Given the crippling effect ending Safe Harbor would have on transatlantic businesses, especially those in the tech sector, this case is likely to help accelerate a deal being achieved for Safe Harbor reforms.  

UPDATE

Since the CJEU’s ruling earlier this month, the Article 29 Working Party (“WP 29”) has called on Member States and European institutions to negotiate with the US to find alternative data transfer solutions (whether by agreeing a new Safe Harbor framework or otherwise). Discussions will remain at a governmental level for the time being, but WP 29 has emphasised that local data protection authorities must take “all necessary and appropriate actions” – possibly including co-ordinated enforcement – if a solution is not reached by the end of January 2016.​

For further information please contact Nicola Fulford.

Comments from Nicola Fulford can also be found in the BBC's report on the Safe Habor ruling.