Personal Data Collection Is Getting Trickier

Regina M. Joseph

Regina M. Joseph

October 7, 2015

On October 6, 2015, the Court of Justice of the European Union (“EU”) issued a judgment declaring that the United States Safe Harbor Decision is invalid. That Decision had been rendered by the EU Data Protection Commission (“Commission”) and permitted, among other things, personal information about European private citizens that was collected by an EU location of a social media site to be sent to servers in the United States.

The Decision was entered in the case of Maximilian Schrems v. Data Protection Commissioner (Case C-362/14). Mr. Schrems, an Austrian citizen and user of Facebook, transferred data from Facebook’s Irish subsidiary to servers in the United States, where it was processed. Mr. Schrems complained to the Irish supervisory authority that his data was unsafe in light of practices by the National Security Agency revealed by Edward Snowden. The Irish authority rejected the complaint, citing Commission precedent that the United States ensures an adequate level of protection for personal data. On appeal, the High Court of Ireland sought an interpretation from the EU Court of Justice.

The EU Court of Justice held that the Commission Decision cannot eliminate or reduce fundamental rights under the EU’s Charter of Fundamental Rights, including data protection, and is invalid, leaving the Irish courts to examine Mr. Schrems’ complaint.

The EU Court’s judgment strikes a similar chord to “data localization” laws, such as the one adopted by Russia effective September 1, 2015. Data localization laws mandate that certain data collected in the host’s country must be stored, processed, and governed by the laws of that nation. Further, such data cannot be transferred to another country for storage and processing.

Data localization laws differ in nature and scope. Multinational corporations, particularly those with a social media presence, will have the difficult job of staying abreast of these diverse laws and figuring out a compliance mechanism. In some cases, it may be necessary to station servers within a country, such as Russia, with the most restrictive legislation.