No more safe harbours
6 October 2015 | 0
The European Court of Justice’s ruling invalidating the safe harbour principles that have governed the transfer of data from EU citizens to the US will be a cause for celebration among privacy activists. Following a week after a binding ruling by the Court’s Advocate General Yves Bot that information processed in the US was not subject to the same level of protection received in the EU, you would expect the mood to be one of solemn acceptance. In truth safe harbour (est. 2000) has been dying since 2005, when the rise of Facebook and YouTube changed the type and amount of information people shared about themselves online, then set about finding ways to monetise that data.
Over the past 10 years the binding principle that “adequate” protection be afforded to Europeans’ personal information by companies operating in the US has been eroded as a transatlantic rift formed. Where Europe moved towards government-led regulation and strong privacy laws, the US opted for light touch industry-led regulation. Where Europe saw data as personal property, US companies treated it as an asset to own in perpetuity for commercial purposes. That these diametrically opposed views could be bound by any kind of “adequate” measures respecting the rights of the individual and those of enterprise makes no sense.
This rift was exposed in 2012 when Austrian law student Max Schrems founded Europe-v-Facebook, a pressure group looking to take the 1 billion-strong social network to task for gathering and retaining user data without consent. What started as a consumer movement working its way through the Courts in Austria, Ireland, Brussels and, now, back to Ireland again has turned into a focal point of debate following the spying revelations by NSA whistleblower Edward Snowden. Thanks to Snowden we know that the National Security Agency has had the run of any data stored on servers in the US, shifting Europe-v-Facebook from a consumer advocacy group to a kind of anti-surveillance watchdog.
If Safe Harbour was a game of Jenga, the ECJ’s ruling was the inevitable block that brought the tower down.
So what next? Europe is ploughing ahead with its Digital Single Market plan, one of its tenets being the introduction of common data protection measures to encourage more people to trade online. IT industry lobby group DigitalEurope issued a statement demanding dialogue between governments to come up with a new norm.
“We urgently call on the European Commission and the United States Government to conclude their long-running negotiations to provide a new Safe Harbour agreement as soon as possible,” said Peter Olson, president of DigitalEurope. “We also call on the European Commission to immediately issue guidance to companies operating under the Safe Harbour framework to ensure that essential and routine commercial activities can occur during the current legal vacuum.”
Location, location, location
Sound argument. Right now there are 4,500 US companies operating without guidance. Through no fault of their own they may have exposed customers to scrutiny over something as innocuous as their search history thanks to the NSA’s PRISM programme. Sure Microsoft, Google, Facebook et al can restore trust by locating their data processing capability to Europe to comply with more conservative, but still reasonable, regulations but this is not feasible for start-ups. Right now there are some 4,500 US tech companies trading the EU who depend on safe harbour. The cost of compliance to a tougher regime could endanger job creation, new product development or influence the decision of other companies to trade in the EU at all.
In Ireland, Data Protection Commissioner Helen Dixon has promised swift action through the High Court and Brussels. In a statement issued today, the Commissioner said: “In declaring the old ‘safe harbour’ rules invalid, however, the significance of the judgment extends far beyond the case presently pending in Ireland. In that regard, my office will immediately engage with our colleagues in other national supervisory authorities across Europe to determine how the judgment can be implemented in practice, quickly and effectively, particularly insofar as it impacts on EU/US data transfers.”
This is a long way from the Office’s original position on Europe-v-Facebook’s campaign, which then Commissioner Billy Hawkes dismissed as “frivolous”.
I’m looking forward to Mr Schrems’ return to the High Court as he faces a less dismissive DPC.
None of this is to say that you won’t be able to log in to Twitter tomorrow morning. Nothing has changed except the political will to update an antiquated framework. A statement released this afternoon from the European Commission called for the continued transfer of EU citizens’ data to the US. The only thing that needs to change is the quality of safeguard.
A better kind of “adequate” measure you could call it.