Personal Data Flows – compliance following changes to the EU/US Safe Harbour

27 April 2016

While Australia has a robust regime of privacy regulation and enforcement, Australian entities that comply with the Australian Privacy Principles (APP Entities) have the room and ability to step up to align their with the European Union’s (EU) higher level of privacy regulation and enforcement if APP Entities comply with the EU’s Data Protection Directive.


Since 1995, the Data Protection Directive (95/46/EC) (Directive) governs transborder data flows from the EU member states to recipients outside of the EU. A transborder data flow is the transfer of personal data to a recipient who or which is subject to a foreign jurisdiction.

The Directive provides that personal data can be transferred out of the EU to foreign countries provided that the foreign country ensures an adequate level of protection equivalent to the rights under the Directive and the processing of the transfer is in compliance with the Directive.

In 2000, the European Commission implemented a ‘safe harbour’ framework (2000/520) (Decision) for transfer of personal data from the EU to the United States (US) developed by US and Switzerland authorities which (provided that certain contractual protections were put in place) deemed the US to be a safe harbour for the transfer of personal data and therefore meeting the standards of the Directive when the data is processed in compliance with the Directive.

The issue of personal data protection in the EU was brought into sharper focus in 2013 when Edward Snowden made a series of revelations that were published by the Washington Post in the US and the Guardian in the United Kingdom about surveillance by the US National Security Agency of internet and telecommunication systems.

As a consequence of these revelations in 2015 the validity of the safe harbor scheme was challenged in the Court of Justice of the European Union (CJEU) in Maximillian Schrems v Data Protection Commissioner Case C-362/14 (6 October 2015). The case considered whether an EU Member State’s national data protection regulator could disregard the EU Commission’s finding that the US was a safe harbour in which an EU citizen’s EU Charter rights to privacy and data protection were afforded in accordance with the Directive.  Mr Schrems, an Austrian lawyer and privacy advocate argued that the Snowden revelations suggested that EU rights would not be adequately protected after a transfer of personal data. The CJEU agreed with Mr Schrems and declared the Decision invalid in its entirety as it does not ensure “an adequate level of protection.”

Essentially, the declaration of invalidity in the safe harbour decision means that businesses that transfer personal data out of the EU to the US can no longer do so on the basis that the US qualifies as a safe harbour.  The decision has had a significant impact on businesses who were a party to the safe harbour scheme and their data protection obligations in that data protection authorities in the EU have commenced breaching organisations for non-compliance (EU privacy regulators allowed a grace period to the end of January 2016 during which transfers of data would not be challenged) with the Directive if they have not implemented alternate compliance arrangements.  The effect also carries over to businesses that transfer data from the EU to the US where that data is further transferred to other jurisdictions such as Australia.

What does it mean for Australia and APP Entities to whom EU organisations transfer personal data?

The short answer is that APP Entities should understand what they need to do to step-up to a higher standard to attract personal data flows from the EU without putting the EU company transferor of personal data at risk of non-compliance with the Directive.

The Directive allows for data transfers from the EU to non-member states when one of the following occurs:

  • Where the recipient is in an approved jurisdiction outside of the EU
  • Where there is informed consent from the originator of the data;
  • Where the relevant EU member state deems that there are adequate safeguards around the data; or
  • Where the recipient agrees to the standard contract terms prescribed by the Directive.

Australia’s privacy legislation, the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), are not considered to provide adequate protection in accordance with the EU’s higher standards.  This is due to exceptions in our privacy regime in terms of optional compliance for small businesses, exceptions for employee records and exceptions for acts outside of Australia that are done in line with foreign law.  Therefore, to be compliant, companies and data holders have to consider whether their procedures, policies and protocols, whilst complying with Australian law including the APPs, also comply with the Directive.

Although the first option of the Directive for data transfers is unavailable to APP Entities and the second and third are commercially and practically problematic, APP Entities can take advantage of the fourth option to facilitate compliance for dealings with EU based companies.

Standard contractual clauses

Model clauses or standard contractual clauses are currently the easiest and fastest way to facilitate compliance.  Standard contractual clauses can also be put in place to regulate intragroup data transfers with companies located in the US as an immediate solution given that their implementation does not require any filing or approval with data protection authorities in most of the EU member states.  Businesses should keep in mind that EU Data Protection Authorities can still challenge a data transfer if there is a problem with how the data is collected in the EU or a problem with how that data is processed in Australia despite the adoption of the standard clauses.

Standard contractual clauses are terms approved by the European Commission to be compliant with the Directive.  By Article 26 (4) of the Directive the European Commission can decide that certain standard contractual clauses offer sufficient safeguards as required by Article 26 (2) of the Directive in that the clauses provide adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals.

The Commission has so far issued two sets of standard contractual clauses for transfers from data controllers to data controllers outside the EU and one set for the transfer to processors outside the EU.

The standard clauses require that:

  1. All parties warrant and undertake that they have complied with data protection standards which meet the Directive;
  2. A data importer may not subcontract without the prior written consent of the data exporter and then only when a written agreement is entered into that facilitates the same obligations on the sub-processor as the model clauses impose on the data importer;
  3. The data importer remains liable for the activities of its sub-processor;
  4. The data exporter must have a list and copies of all sub-processor agreements, where sub-processors are employed;
  5. The data exporter and importer accept liability to the data subjects for breach  with cross indemnities to ensure that the party responsible for the breach meets the cost of the breach; and
  6. Other prescribed termination provisions and jurisdictional matters.

Therefore an APP Entity, as a data importer, should assess whether it can comply with the standard clauses and whether it is commercially viable to do so because a data importer has arguably onerous obligations.  These obligations include agreeing to limit processing to the specification in the contract, adoption of appropriate levels of security, identification of all staff who require training in data protection matters, and notification to a data exporter of the laws which allow Australian authorities to access the data.

A failure to comply with these provisions will permit a data exporter to terminate the contract with the APP Entity.

It should be noted that in December 2015, Mr Schrems filed three complaints against Facebook with Data Protection Authorities in Belgium, Ireland, and Hamburg in Germany to seek to enforce the CJEU judgment in Schrems on Facebook which relies on standard Contractual Clauses.  Mr Schrems argues that these agreements also incorporate exceptions for cases of illegal mass surveillance, and thus that the CJEU ruling applies to these agreements as well.

Current moves – The Privacy Shield

As a replacement for the Decision, the European Commission is in the process of agreeing with the US on a new framework for data transfers known as the EU-US Privacy Shield. The Privacy Shield seeks to implement a new framework reflecting the requirements outlined by the European Court of Justice after the Schrems case.

As part of the Privacy Shield, the US Government has committed in writing to the EU that the Privacy Shield will be strictly enforced with no mass surveillance by national security authorities.  Stronger monitoring and enforcement will be conducted by the U.S. Department of Commerce and Federal Trade Commission, including through increased cooperation with European Data Protection Authorities.

The Privacy Shield is based on four main points:

  1. Stricter obligations imposed on US companies as to how European personal data is processed and individual rights of European’s are protected (by committing to the Privacy Shield these companies will be bound under US law and if those companies breach the Privacy Shield they may face sanctions and the removal from the scheme thereby blocking data transfers);
  2. Greater transparency of the extent of and the limitations on US surveillance (noting that this was the main issue in Schrems – there may be the possible establishment of an Ombudsman mechanism within the US Department of State who will be independent from national security services);
  3. EU citizens will be provided with a number of possibilities for redress in case of breach (including resolution of complaints within 45 days, a free alternative dispute resolution service and EU citizens being able to approach local Data Protection Authorities to ensure that complaints are investigated and resolved); and
  4. An annual joint review mechanism which will monitor the functioning, effectiveness and commitment of companies and governments to the Privacy Shield.

Both EU and US authorities will monitor compliance and where there is a breach a US company might face a challenge from both EU and US authorities.

It is expected that the Privacy Shield will not be approved until about August 2016.

This means that APP Entities who receive EU data, particularly where it is being imported via the US, should review their current arrangements with data exporters in terms of ensuring they have standard contractual clauses in place but also be mindful that they will be faced with further obligations of commitment to data protection standards imposed by the EU once the Privacy Shield commences.


APP Entities seeking to have data transferred to Australia from the EU, including via the US, must be prepared to implement policies and procedures which allow them to match the privacy standards required by the Directive.  If they do this, then they will be considered compliant and may attract flows of personal data from the EU.

This article was written by Brendon Noney, Partner and Tia Singh, Graduate.

Subscribe to HWL Ebsworth Publications and Events

HWL Ebsworth regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business.

To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

Contact us