PEER TO PEER: THE QUARTERLY MAGA ZINE OF ILTA 52
FEATURES
Please give us some background about Schrems:
Gayle: Maximillian Schrems is an Austrian student who brought an action against Facebook
because it had transferred data from Ireland, their primary server base in Europe, to the
U.S. After all the Snowden revelations, Mr. Schrems was concerned that his data were
being accessed by unknown people, and not being kept secure according to European data
protection law, which says you can't transfer data outside of the European Economic Area
(EEA) unless you put certain protection in place. The protection Facebook chose to use is Safe
Harbor, which was originally agreed upon by the European Commission.
The Schrems decision said Safe Harbor doesn't do a good enough job of keeping data
safe, making the Commission's decision invalid. If businesses can't use this as a basis for data
transfers anymore, it could be a problem.
Where does that leave multinational
organizations and other companies using
U.S.-based hosting systems or dealing
with U.S. businesses?
Jason: Because of the invalidation of Safe
Harbor, businesses need to act quickly if
that was the primary basis on which they
were transferring data. The questions are:
• Are you transferring data between U.S.
and non-U.S. organizations?
• What was the legal mechanism used
to protect the data?
If you used Safe Harbor, you need to
look at alternative means of protection.
The main ones people are looking at are
model clauses, which need to be put into
your contract. These are clauses you can
negotiate and that have been agreed upon
and signed off on by the Commission.
On October 6, 2015, the Court of Justice of the EU published its judgment in C-362/14 (Maximillian Schrems v Data
Protection Commissioner), declaring the commission's "safe harbor" decision to be invalid. At ILTA's 2015 INSIGHT
event in London, Gayle McFarlane of Cordery and Jason Rix of Allen & Overy LLP explored the basis of the court's
judgment, practical and legal implications, and steps to be taken to mitigate risks in light of the judgment. Here is
some of their post-session interview on the topic.
Hear their entire interview at
insight.iltanet.org.