Safe Harbor ruling affecting Hungarian businesses

In its recently released decision, the Court of Justice of the European Union (CJEU) declared that the EU Commission’s US Safe Harbour adequacy decision (Commission Decision 2000/520/EC of 26 July 2000) is invalid and therefore no longer a valid method of ensuring adequacy in the context of international data transfers from the European Economic Area. The Safe Harbor was a self certification system which was established by the European Commission to provide adequate level of protection relative to data transfers to the US, therefore more than 4000 US companies subscribed to it.

Hungarian businesses are also affected by this ruling if they transfer personal data to recipients located in the US, such as service providers or other corporations adhering to the US Safe Harbor framework.

In Hungary, the international transfers of personal data is governed by the provisions of the Hungarian Information Act (Act CXII of 2011) and such transfers are supervised by the National Authority for Data Protection and Freedom of Information (Hungary DPA). Data transfer within countries of the European Economic Area (EEA) are treated as a domestic data transfer in Hungary. However, if the data importer is located outside of the EEA and the country of the recipient is not determined by decision of the European Commission to be a safe country ensuring an adequate level of protection by reason of its domestic law or its international commitments, additional requirements must be fulfilled before data could be transferred abroad. Such additional requirements may include (a) obtaining the data subject’s explicit consent to the data transfer; or (b) by adducing adequate safeguards for a data transfer by way of a contract, such as Standard Contractual Clauses or BCRs.

As a consequence of the Safe Harbor decision, data exporters and data importers who previously relied on the Safe Harbor framework must use other legal bases in order to guarantee the adequacy of data transfers. Considering that ad-hoc data transfer clauses are omitted from the list of adequacy instruments under Hungarian laws, either Standard Contractual Clauses must be implemented between the data exporter and data importer, or the parties may consider obtaining the explicit consent of the data subject in relation to the data transfer. In this latter case, the data subject must be duly informed of the particular risks resulting from the fact that his / her data are to be transferred to a country (namely, the United States) lacking adequate protection. Data transfers in the context of employment requires specific attention, as there is a strong presumption in the practice of the Hungary DPA that employee consent is weak in such contexts, therefore it is strongly recommended to secure adequacy by contractual instruments in such cases.

In its recently released communication, the Hungary DPA has welcomed the decision of the CJEU and indicated that it will analyze the necessary steps resulting from the ruling. According to the Hungary DPA, further guidance is expected on the implementation of the CJEU ruling next week.