The European Court of Justice ruled on 6 October 2015 in the matter Schrems (C-362/14) that national authorities are entitled to assess whether the laws and practices in force in a third country ensure an adequate level of protection for personal data even if the EU Commission has previously determined that the level of protection in such third country is adequate. The decision authorised the national authorities to in particular investigate and assess whether the transfer of personal data to the United States should be prohibited even if the transfer has earlier been permitted under the US Safe Harbour Regime.
On 20 October 2015 the Finnish Data Protection Ombudsman published a notice in which the Ombudsman clarified his view on the Schrems judgment and urged transferors of personal data to the United States to assess the validity of such transfers in the light of said judgment.
In the notice the Data Protection Ombudsman states that personal data may no longer be transferred from Finland to the United States under the US Safe Harbour Regime, since said regime has been declared invalid by the EU Court of Justice. Instead, a transferor that transfers personal data to the United States must demonstrate that it has through EU model clauses or proper contractual undertakings with the US transferee ensured that the privacy and the rights of the individuals are adequately protected in the United States.
In the notice the Data Ombudsman reminds that a transfer of personal data to the United States is also possible with the express consent of each data subject. However, it should be noted that according to the Data Protection Ombudsman, consent to a transfer of personal data is only valid, if the data subject has been informed explicitly on what data will be transferred, to which jurisdiction and for what purpose. A general consent to transfer of data to third countries does, accordingly, not suffice to meet the Finnish law requirements.
The EU Working Party consisting of representatives from the national data protection authorities of the EU Member States have on 16 October 2015 called on the Member States and the European institutions to open discussion with the US authorities to find political, legal and technical solutions enabling data transfers to the United States that respect fundamental rights. If by the end of January 2016 no appropriate solution is reached with the US authorities, EU data protection authorities are considering coordinated enforcement actions against unlawful data transfers to the United States.
Pending the outcome of the discussions between the EU and the US on an appropriate solution, we recommend that any arrangements where personal data of Finnish customers, employees, or other individuals may be transferred to the United States are reviewed to ensure that the transferor has sufficiently secured the rights of the individuals and that there is a proper legal basis for any transfer of the personal data.