EU data legislation and Safe Harbour: what now?
14 March 2016 | 0
Some of the world’s largest companies routinely use cloud technologies to move data around so one would think the legal framework underpinning the principle of data transfer would be solid and well agreed. Not so.
In October 2015 the European Court of Justice ruled that the agreement that allowed the transfer of European citizens’ data to the US was fundamentally flawed. A two-year case brought to the EU’s highest court by Austrian privacy campaigner Max Schrems declared that ‘Safe Harbour,’ the European Commission’s trans-Atlantic data protection agreement in force since 2000, was invalid essentially because it did not adequately protect consumers.
The consequences were to be enormous. EU privacy law forbids the movement of its citizens’ data outside of the EU unless it is transferred to a country with privacy protection in line with that of the EU. Safe Harbour was an agreement made between the EU and the US that in a nutshell, promised to protect EU data if transferred by American companies back to the US.
“The Safe Harbour system allowed a decision to be made that the protections under certain conditions for data to be shipped to a third party country, in this case the United States, were sufficient as to allow data to travel and it be treated as equivalent to Irish and EU standards of data protection,” said Simon McGarr, solicitor and member of Digital Rights Ireland.
“Since that system was agreed, a great deal of new information about how data was treated, particularly the data of EU citizens, came to light and Mr Schrems took a case in Ireland where he complained that he believed that Facebook was transferring his data to the United States where it was being accessed improperly by the National Security Agency (NSA).”
As part of that case, Schrems went to the Irish High Court which found that it could not decide his complaint without making a reference on European law grounds to the European Court of Justice in Luxembourg.
Digital Rights Ireland, represented by McGarr, was joined to that reference, and in October 2015 a decision came out from the Court of Justice that said that the Safe Harbour decision was no longer valid.
“In fact, they struck it down and so, at that point, there was no basis for transferring data between the EU and the US using Safe Harbour. Companies couldn’t rely on Safe Harbour after that moment,” said McGarr.
Meanwhile, behind the scenes a two-year effort by the European Commission and the United States Department of Commerce was underway to negotiate a new and improved level of protection of privacy for European citizens.
“They had not been successful up to that point back in October, and it became clear that either talks were going to be successful or that data transfers would have to be halted,” said McGarr.
The matter came to a head when the Article 29 Working Party, the collective group of data protection authorities around Europe, issued a statement saying that from the beginning of February 2016 they were going to start enforcing this new rule if no new agreement had occurred between the US and the EU. This had the effect of setting a deadline for a deal between the two parties.
The Working Party insists that there are four guarantees which should be respected whenever personal data is transferred from the EU to the United States and to other third party countries, as well as by EU Member States.
Clear, precise rules
The first is that data processing should be based on clear, precise and accessible rules, meaning that anyone who is reasonably informed should be able to foresee what might happen with their data if it is transferred.
Secondly, necessity and proportionality with regard to the legitimate objectives pursued needs to be demonstrated — a balance needs to be found between the objective for which the data is collected and accessed (generally national security) and the rights of the individual.
The third condition is that an independent oversight mechanism should exist that is both effective and impartial. This can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks.
The fourth and final condition is that effective remedies need to be available to the individual, in other words anyone should have the right to defend their rights before an independent body.
Despite a last minute announcement that a deal was imminent between the EU Commission and the US that would respect these four guarantees, to be termed the Privacy Shield, the deadline came and went.
“Subsequently it turned out that no such deal exists — there’s the outline of a potential future deal which hasn’t actually been agreed or settled yet. And there certainly is no new decision by the European Commission that data transfers to the United States are once again valid and legitimate under the Charter of Fundamental Rights,” said McGarr.
The result is that at the time of writing, Safe Harbour is no longer valid, and a successor has yet to be agreed, leaving many technology companies in an awkward position. Safe Harbour was the mechanism by which between three and five thousand companies registered with the US Department of Commerce moved data around.