Safe Harbor declared invalid? – Part 1/2

October 9, 2015 at 10:29

The transfer of personal data beyond the borders of the European Union is allowed only when it’s also possible to ensure an adequate level of privacy protection in the data’s destination country. For specific countries, the EU has decided that their local privacy protection law is adequate to ensure that a European level of privacy protection can be fulfilled.

Unlike in Europe, in the USA there is no general law about privacy protection and for this reason the so-called “Safe Harbor arrangement” has been used with the USA for years. Together the EU and the USA have created principles for ensuring adequate privacy protection for personal data that is transferred to the USA.

The goal of this arrangement has been to ensure an adequate level of privacy protection in situations where the personal data of European citizens is handled by an US company, in spite of the fact that there is no binding local law.

The Safe Harbor arrangement is based on the idea that the level of privacy protection is adequate if the US company (receiver of data) has publicly committed to complying with the Safe Harbor privacy protection principles that have been approved by the US Department of Commerce and the EU Commission. According to these principles, an organization is obligated, for example, to announce the purpose of data collection and to give the data subjects the right to check and correct their information. In addition, the organization must take the necessary measures to ensure the protection of privacy.

On Tuesday, October 6th, the EU Court of Justice decided that the Safe Harbor agreement between the EU and the USA is invalid. What does this mean and what actually happened?

From the Facebook revolution to revoking the Safe Harbor arrangement

In 2010 Austrian Max Schrems became tired of the way Facebook collected and used its users’ information, and asked Facebook for all the information they had collected on him. The amount of gathered information was enormous – Max received a 1200 page PDF document that consisted of everything he had ever done on Facebook. The document also included information that Schrems had thought he had already deleted.

In 2013, inspired by Edward Snowden’s revelations, Schrems decided to question the entire Safe Harbor arrangement and asked the Irish data protection authority to find out how data was transferred from the company’s servers in Ireland to the USA. From Ireland the case proceeded to the EU Court of Justice.

The decision by the EU Court of Justice [PDF] declares the Safe Harbor arrangement invalid, because it doesn’t sufficiently take into account privacy protection, which is a fundamental right of individuals. The arrangement is considered to provide insufficient protection for the citizens of EU countries, because the US authorities have extensive access to their information. In addition, the decision states that an individual doesn’t have enough ways to access their personal information or to demand the correction or deletion of this information.
 

What is going to change, if anything?

The invalidation of the Safe Harbor arrangement means that the arrangement in this form is no longer a sufficient and acceptable guarantee of the safety of transferred data. It remains to be seen what kind of new regulations will replace the Safe Harbor arrangement, or if the US companies will be prompted to store the data in Europe.

Right now it seems that the decision may have both positive and negative consequences:

  • The annulment of the Safe Harbor arrangement may lead to improved privacy protection for individuals because until now, the arrangement was based on an announcement of compliance with the Safe Harbor principles by US companies, and in practice their fulfillment was very difficult to prove.
  • In addition, the decision may place more administrative and agreement-related burden on companies who transfer data between the EU and the USA.

What will be the position of service providers squeezed between the EU and US law? Is it possible that US authorities could demand access to information on European servers as well? Will companies who operate in the USA receive conflicting demands to turn over data to the authorities in spite of European law?

To this day, the turnover practices haven’t had any clear guidelines. One example is Microsoft, who has already received a decision from an US court to turn over e-mails from a data center located in Ireland. However, Microsoft has opposed the decision and declared that it will not turn over the data.

The practical consequences to privacy protection regulations will become clear later. The forthcoming EU Data Protection Regulation and its more detailed rules will hopefully bring clarity to the permitted models of operation.

This blog entry was written by Nixu specialists Harri Vilander, Kirsi Vesterinen, and Sanna Kuikka.

Related blogs