End of Safe Harbor – The Consequences
The CJEU's Recent Ruling and their Consequences for Organizations in Europe
What was Safe Harbor About? EU organizations are not allowed to transfer personal data to countries outside the EU unless they guarantee adequate levels of protection. Safe Harbor provided a mechanism companies to transfer personal data from the EU to the USA. The European Commission published a decision in 2000 that set up Safe Harbor. Thousands of companies, including the internet giants Google, Facebook, Apple and Amazon, took part. The Framework relied on US companies "self-certifying" that they complied with the data protection standards required.
EU organizations aren't allowed to transfer personal data outside the EU unless they guarantee protection.
The CJEU's Ruling
The Court of Justice of the European Union (CJEU) ruled that the Safe Harbor Decision on data transfers to the US was invalid in a judgment dated 6 October 2015.
It also ruled that any future Safe Harbor Agreement 2.0 would not provide blanket immunity for any data transfers. National supervisory authorities are entitled to examine independently whether the transfer of a person's data to non-EU state complies with EU law.
The Instigators
Max Schrems is a Austrian privacy activist. He's campaigned against Facebook in particular due to alleged privacy violations.
In 2014, he filed a complaint to the Irish Data Protection Commissioner in respect of Facebook. When the Data Protection Commissioner rejected the complaint, he applied to the Irish High Court for judicial review. The High Court made a preliminary reference to the CJEU, resulting in the latter's ruling striking down the Safe Harbor Framework.
Edward Snowden is an American whistleblower who leaked documents detailing global surveillance programs run by the NSA.
In the case brought by Max Schrems, the Irish High Court stated, "the Snowden revelations demonstrate a massive overreach on the part of the security authorities, with an almost studied indifference to the privacy interests of ordinary citizens. Their data protection rights have been seriously compromised by mass and largely unsupervised surveillance programmes".
Update (January, 2018): There's a new initiative by Max Schrems to enforce privacy rights in the EU called noyb. It's similar to the lawsuit which in ultimately brought down Safe Harbour, but on a much larger scale. We think it's worth supporting!
Why Was Safe Harbor Problematic?
The Snowden revelations showed systematic mass surveillance on the part of US Intelligence. The prevailing opinion is that this surveillance is in violation of rights under Article 7 and Article 8 of the Charter of Fundamental Rights. EU citizens have no way of challenging these violations of their privacy in a court of law.
The Data Protection Authority in Schleswig-Holstein recently gave an opinion that the transfer of personal data to the USA is not possible under any legal framework whatsoever until the USA ceases indiscriminate mass surveillance.
Is Your Data Safer in the EU?
EU Law provides for safeguards and legal recourse since 1995. Directive 95/46/EC requires the Member States to transpose legislation that regulates the processing of personal data, including the transfer of personal data outside of the EU. On May 25, 2018 the EU GDPR (General Data Protection Regulation) will come into effect with the intend to strengthen and unify data protection for all individuals within the European Union even further.
In addition, Articles 7 and 8 of the Charter of Fundamental Rights grants EU Citizens privacy and data protection rights. EU organization must meet stringent data protection standards and face investigation by national data protection authorities in the event of infringements.
What About the Alternatives Such as Model Clauses or Binding Corporate Agreements?
Google and Facebook have stated that they are not affected by the Safe Harbor ruling because they have alternative arrangements in place such as model clauses or binding corporate agreements. Here's what the data consultants at Castlebridge Associates said about alternatives to Safe Harbor:
But, in reality, Model Clauses to cover transfers to the United States are, on foot of today's CJEU ruling, as useful as a Chocolate Teapot... perfectly fine until the heat comes. (Note: Binding Corporate Rules and others are in the same boat!)
What is the EU-U.S. Privacy Shield?
The EU-U.S. Privacy Shield is designed to replace the now-defunct Safe Harbor Framework. In summary it provides the following:
More redress possibilities. The EU-U.S. Privacy Shield provides that companies must reply to complaints from individuals within 45 days. Provision is also made for free-of-charge Alternative Dispute Resolution. Finally, as a last resort, there will be an arbitration mechanism to ensure an enforceable decision.
U.S. Government promises. The U.S. will provide written assurances that any access of public authorities to public data will be subject to clear limitations, safeguards and oversight mechanisms. The U.S. Authorities will affirm that indiscriminate or mass surveillance will not take place
Annual joint review mechanism. There will be an annual joint review mechanism for monitoring the functioning of the Privacy Shield and the U.S. commitments, including as regards access to data for law enforcement and national security purposes.
Here are some independent view points on the new Privacy Shield agreement:
I have an incredible feeling of de ja vu. And a suspicion we'll be back at the drawing board before long. The text I've seen, while progress to an extent, doesn't appear to address key issues and will inevitably be challenged by an DP authority, an EU citizen, or the Parliament. Even if Privacy Shield was bulletproof, it still doesn't apply to data processors outside of the FTC's remit. And as the Privacy Shield text was negotiated against the Directive instead of the Regulation that is replacing it, we will inevitably wind up faced with a renegotiation within the next 2 years or so. The ultimate fix lies not with the EU but on the US side. Legislative reform is inevitable to avoid repeating cycles of uncertainty.
The WP29 notes the major improvements the Privacy Shield offers compared to the invalidated Safe Harbour decision. Given the concerns expressed and the clarifications asked, the WP29 urges the Commission to resolve these concerns, identify appropriate solutions and provide the requested clarifications in order to improve the draft adequacy decision and ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU.
Can EU Organizations Protect Their Customers' Personal Data?
Until the USA offers effective safeguards, it remains unsure whether transfers of personal data to the USA are safe. However, there are alternatives to many U.S. based companies inside the EU.
Companies that don't answer to the NSA. European alternatives to common SaaS categories.
These Companies Don't Answer to the NSA
European Alternatives to Common SaaS Categories. Organizations across the EU need to be able to take advantage of the benefits of software as a service and cloud computing in order to stay competitive in the global economy. That's why we've put together a list of EU-based companies that will only host your data in Europe.
Want to Add Your SaaS or Cloud Company Here?
Leave a comment or contact us and we'll get back to you as soon as possible.