Data protection – EU to US data transfers are no longer automatically covered by the ‘safe harbor’ scheme

Print publication


Following an EU law decision, transfers of employees’ personal data from the EU to the US are no longer protected under the ‘Safe Harbor’ scheme. UK employers now need to consider how employee data transfers to the US (both historic and going forward) will be managed and legitimised.

Under the Data Protection Act 1998, employers can transfer personal data about their employees outside of the EU only where the country receiving the data has similar data protection safeguards. UK employers have usually relied on parent or recipient companies’ registration with the US ‘Safe Harbor’ scheme (designed to replicate EU data protection safeguards). This, for many years, has effectively legitimised transfers of personal data about employees from the UK to the US.

The Court of Justice of the European Union (CJEU) has now decided that the Safe Harbor scheme is compromised and the scheme can no longer be relied upon to legitimise EU to US transfers of personal data. This is because, under increased homeland security measures, US security agencies can access personal data held by US employers without the affected employee’s consent.

What does this mean for affected employers?

  • There is no cause for immediate alarm although thought does need to be given to how personal data transfers will be covered going forward. The CJEU decision does not say that all EU to US personal data transfers are unlawful, it simply says that employers can no longer work on the assumption that the Safe Harbor scheme provides total protection from challenge.
  • The Data Protection Act allows for transfers outside the EU where the employee has given consent to the transfer or where the transfer is necessary for entering or performing the employment contract. It is therefore sensible to ensure that employees give written consent to data transfers outside the EU in their employment contract and also to consider the necessity of the data transfers.
  • It would be wise for UK employers to agree a specified level of protection for personal data with US parent companies.
  • Look at where personal data of UK employees is held. If, for example, it is on US based servers of parent companies could it be held within the EU instead?Question whether it needs to be held outside the EU.
  • Consider historic personal data too. If this is held outside of the EU consider bringing it back or deleting any personal data that is no longer required.