Goodbye to ‘Safe Harbor’ as US companies need to start playing by the same rules

not so safe harborThis week the blogosphere went into overdrive with the news that the non-binding legal opinion of the Advocate General of the European Court of Justice claims that EU user data transferred to the US by various technology companies is a violation of current EU data protection and privacy laws.

Even before this opinion, the European Commission was already attempting to re-negotiate the Safe Harbor Agreement with the US. The Advocate General observed: “If the (European) Commission decided to enter into negotiations with United States, that is because it considered beforehand that the level of protection ensured by that third country, under the safe harbour scheme, was no longer adequate.”

And of course, he’s impeccably right in this regard.

The cornerstone of this highly influential legal opinion by one of the most senior jurists in the European Union is the reliance on the fundamental rights enshrined under the EU’s Charter of Fundamental Rights and Article 16 of the Treaty on the Functioning of the European Union.

Taken together, these require compliance with the EU’s data protection rules, currently set out in the Data Protection Directive that dates back to the last century and is to be replaced by the forthcoming EU General Data Protection Regulation (GDPR).

The purpose of the existing Data Protection Directive is to ensure that individual member states of the EU don’t adopt individual data protection rules that might interfere with the EU’s single market that allows Member States to trade freely with each other.

Under the current legislative programme just announced by European President Jean-Claude Juncker in his State of the European Union address, the EC has signalled its determination to bring forward plans for a Single Digital Market and the legal framework that sits behind this.

In his legal opinion, Advocate General Yves Bot said that Data Protection Authorities (DPA) can’t have their power fettered in any way that would compromise their ability to “investigate with complete independence the complaints submitted to them in the higher interest of the protection of individuals with regard to the processing of personal data.”

These words have been chosen with great care and reflect the direction of travel of the forthcoming GDPR that could reach agreement between the European Commission, Council of Ministers and the European Parliament as early as the back end of November this year. Certainly the mood music behind the current trilogue negotiations is pointing in this direction.

The disquiet over the current Safe Harbor Agreement is as a result of “mass, indiscriminate surveillance” by the US National Security Agency (NSA) that was centre stage of the Edward Snowden whistle-blower revelations in 2013 as well as the continuing legal case brought civil rights campaigner and former Austrian law student Max Schrems against Facebook.

You may recall that Schrems argued that under EU Safe Harbor his personal data could end up on US servers and be accessed by the NSA which would violate his rights under EU data protection and privacy laws. The Irish DPA dismissed his case and Schrems then appealed to the European Court of Justice, prompting the current legal opinion.

Lawyers have been openly speculating whether the ECJ will choose to follow this line or whether they may decide to ignore this legal opinion. Currently, US-based organisations that do a vast amount of business within the EU are holding their breath in anticipation of such a ruling that is due by the end of 2015 as more than 4,000 organisations rely on the program to transfer personal data from the EU to the US.

Schrems is clearly enjoying the celebrity he has created for himself by crowd sourcing his legal challenge against the Facebook decision taken by the Irish DPA and also being the unwitting architect of forthcoming data protection and privacy laws under GDPR.

GDPR could remove ‘safe harbour’ altogether and force US-companies to play by the same rules that apply to their competitors on mainland Europe as well as close the door to the risk of EU citizens’ personal data being subject to mass surveillance.

The decision of the European Commission taken some 15 years earlier that permitted US organisations to freely process the data of EU data subjects subject to the compliance of the so-called ‘Safe Harbor Principles’ looks like becoming a footnote to US-EU relations very soon.

If the ECJ agree with the Advocate General’s legal opinion that DPAs have the power to order the suspension of the transfer of data where there’s a proven breach or a risk of a breach of fundamental rights, US organisations will find themselves in a new world where they can’t rely on the Safe Harbor to give them cover for such personal data processing.

A number of questions remain and we’ll need to wait for the decision of the ECJ before understanding how these are to be decided on, but these include:

  • What’s the role of DPAs vis-à-vis the courts?
  • Should the courts pre-empt the DPA (to be renamed Supervisory Authority under GDPR) by providing their own assessments of a complaint or should the courts allow Supervisory Authorities to first investigate a complaint before considering whether those investigations were properly conducted (which is what Schrems is challenging in the case of the Irish DPA)

Perhaps the GDPR will provide a solution to this delicate balancing act in order to provide consistency and certainty to the current chaos and confusion caused by EU’s existing data protection and privacy laws.



Leave a reply