Safe Harbour Update

After days of anticipation following the decision by the EU’s highest court to strike down the Safe Harbour mechanism for transferring personal data to the US, the Data Protection Authorities have now spoken.

The Article 29 Working Party, the body that represents the collective voice of the EU’s privacy enforcers issued a statement on the 16 October.  They have promised not to rock the boat just yet, but that if a viable alternative to Safe Harbour is not found by the end of January 2016, there is a clear warning to batten down the hatches and prepare for a storm of enforcement.

OK, enough of the puns.

What this amounts to is more pressure to finish negotiations on Safe Harbour 2.0.  Transfers based on Safe Harbour are now unlawful they state, however Standard Contractual Clauses and Binding corporate rule are still valid tools.

Nonetheless, there is a recognition it seems that these are not completely watertight (OK, one more), as they will continue to consider what the court judgement means for these other transfer tools, and the continued use of them is qualified as allowable ‘during this period’.

They also emphasise the fact that the ‘massive and indiscriminate surveillance’ unearthed by Edward Snowden remains an unresolved issue at the heart of the problem.

With this in mind, readers should also take a look at the blog from Microsoft’s respected Chief Legal Officer, Brad Smith.  Addressing the issues that we have touched on ourselves, about the problems of jurisdictional boundaries and the global web, his suggestions for a way forward are highly practical.

At the heart is the idea that a citizens legal protections should follow their data wherever it is stored.  If this could become the basis of new international agreements, many of the issues could be resolved, including processes for lawful access by security and government agencies.

Sounds like plain sailing to me.

Cecilia Malmstrom

EU Data Protection Directive Safe Harbor

It is intriguing that with all the recent discussion of reforming the EU Data Protection Directive, Safe Harbor, the US framework to comply with Directive 95/46/EC, has not been discussed very often. Particularly when the necessity for US-based businesses to comply to the new EU Data Protection Regulation is such a hotly debated subject. So, let’s delve in and learn a bit about the EU Data Protection Directive and Safe Harbor.

The EU Data Protection Directive, Directive 95/46/EC, was finalized in 1995. As part of the larger framework of policies about privacy and human rights, the directive regulates the sharing of personal data between citizens of the EU and others. In a nutshell, it demands that personal data only be shared if it is processed transparently (the individual knows and consented to sharing that data); it is only taken for an explicit, legitimate purpose that is clearly defined; and it is only processed in accordance with its original purpose for being collected.

The EU Data Protection Directive also mandates that personal data only be shared with countries that have similar data protection regulations; however, this was not a very big concern until after the Internet became more prevalent. But by 2000, there were already over 360 million people online worldwide and the number of users was increasing everyday. Because of these issues, however, concern arose about what this meant for EU citizens and the private data they share with US-based organizations. So, the European Commission and the US Department of Commerce produced a framework for how US-based companies could comply with these regulations.

US-based companies who wish to comply with the US version of the EU Data Protection Directive, Safe Harbor, must uphold seven principles–notice, choice, onward transfer, access, security, data integrity, and enforcement. Notice and choice are connected: people must be informed about the data collection, its uses, transfers to third parties, and how to opt out of data collection.

Onward transfer is the policy that one entity may only pass data onto a third party if they are both already following all of these principles (and of course the original collector gave notice and got consent)–unless that third party is contracted by the data collector to process data solely for the data collector. Security means that the company must take reasonable measures to secure private data. Data integrity means that the data must be helpful to and about the purpose it was taken for. Access means that people must have access to their data and easily be able to correct incorrect personal data. Finally, enforcement is the policy that these principles must be enforced by a third party.

After this legislation passed in the US, the EU let out a final commission decision, 2000/520/EC, declaring “the adequacy of the protection provided by the safe harbour privacy principles“.* However, since then, the Safe Harbor framework has been heavily criticized. Leaving one to wonder if after reforming the EU Data Protection Directive, Safe Harbor will reformed or completely replaced with a new framework or…?