Centre for Research Ethics & Bioethics (CRB)

Unsafe harbours for researchers

2015-12-09

There are many research projects in Europe that have safe harbour as a legal ground for sharing data between the EU and the US. These projects could now be in a peculiar situation as a judgment from the Court of Justice of the European Union concludes that Safe Harbour is not anymore a legally valid ground for sharing data between countries in the EU and the US.

The Court of Justice of the EU has during the last years at several occasions ruled in favour for a stronger protection of personal integrity. This development coincides with the intense negotiations of the EU regarding a new regulation for data protection. In a recent case (C-362/14 Schrems v. Data Protection Commissioner), the Court analyzed the possibilities of transferring personal data from the EU to the US. It found that commercial and political interests are less important than the individuals’ right to personal integrity. This case concerned the so called Safe Harbour Clauses. The Court ruled that the US cannot be considered to be ”a safe harbour” due to the fact that data as such is not protected in American legislation, where national agencies may have direct access to personal data. Further, there is no administrative or judicial infrastructure for individuals to turn to for remedy in case their rights are infringed upon.

First, national Data protection agencies must according to the Court be able to assess the legality of Commission decisions allowing data transfer to third state, in order for the national agencies to fulfil their task of monitoring the compliance of data protection rules safeguarding the fundamental rights. In order to make possible for a national court to refer questions for preliminary rulings to the Court of Justice, the national agencies must be assured a judicial remedy to access the national courts.  This is compulsory and should follow directly from national law.

Second, one needs to identify other, alternative legal grounds for ensuring transfer of personal data cross borders. This could be informed consent in the individual case or Standard Contractual Clauses. The Court is very clear with the fact that an informed consent needs to include information that the data will be sent to the US and that this country does not have a legal system providing for an adequate level of protection. But one could question if that is enough. Is it, for example, possible to consent to not having access to court when this right is fundamental in EU law and forms the very basis of the rule of law?

The European rules on data protection are interpreted by the EU’s Article 29 working party group. This expert group reacted on the Courts ruling within a couple of days. There is, however, still questions remaining that are not easily solved. Following the judgment, the Group conclude that all transfers to the US based upon safe harbour are illegal but that the Group and the national data protection agencies will give politicians and other stake holders in the US and the EU respectively a couple of months to try to negotiate a solution. After this intermediary period, the agencies will decide upon taking common decisions and actions.

By Anna-Sara Lind

More biobank related news