Safe Harbour Falls into the Atlantic

The Safe Harbour scheme that provides the legal underpinning for significant volumes of personal data use by the world’s largest technology companies has just been declared invalid by Europe’s highest court.  So does that mean the internet is going to grind to a halt as billions of data transactions get held up at the border? No, but there are going to be some changes in the background to make sure the information keeps flowing.

First, a bit of back story

The EU-US Safe Harbour (or Harbor on the other side of the pond) scheme was put in place about 15 years ago to make up for the fact that US privacy laws were judged to not provide an ‘adequate’ level of protection for EU residents when their personal data was transferred to US businesses for any reason.

Basically it requires the US firms to self-certify that they will be held to a set of privacy principles designed to provide the protections that are lacking in US law.  Some 4,500 firms have until now been relying on the scheme, including many of the internet’s technology giants.

The decision by the EU’s highest legal authority, the European Court of Justice (ECJ), to kill off Safe Harbour has come about through a case brought against Facebook by an Austrian student, Max Schrems, now being hailed as a hero by many privacy advocacy groups.

In the light of Edward Snowden’s 2013 revelations about the extent of mass surveillance by the US security agencies, which allegedly involved unrestricted access to personal data held by Facebook and others, Schrems argued that the protections of Safe Harbour were inadequate.

The Court essentially agreed, noting that the NSA having both unlimited access to personal data, and there being no provision for an EU resident to take legal action against that access, represent a compromise of fundamental rights to privacy enshrined in the EU.

With that decision the walls of the Safe Harbour crumbled into the Atlantic Ocean.

So what happens now?

Safe Harbour has been heavily relied upon, largely because it was the easiest route for US companies to be legally import personal information from the EU, but it was never the only route.  What happens now is that those companies will need to put other mechanisms in place.  The next best method is what is known as ‘Model Contract Clauses’ – standardised terms and conditions.  Although not complex to adopt for most companies – it does involve a lot of paperwork and admin – so it can take time and be costly.

For larger companies, and especially those for whom data is their stock in trade, the disruption is likely to be minimal.  It is likely to be smaller US businesses for whom this decision will be a bigger additional burden.  Fortunately the EU Data Protection Authorities (DPAs) who will be charged with policing the transition, look likely to be reasonable in giving time for changes to be made.

However, this is unlikely to be the end of the story.  As other notable commentators have pointed out, neither model contract clauses, nor their more difficult cousin, Binding Corporate Rules, contain any protections against US intelligence intrusion greater than Safe Harbour.  So, in the short term, these are equally at risk of being legally challenged.

There is however some light at the end of the tunnel. Negotiations for a replacement to Safe Harbour have been under way now for 2 years.  Although seemingly bogged down in the end game for some months, this decision is likely to put increased pressure on to get them finalised.  This new agreement does contain critical rights of legal redress for EU residents that were missing in the original scheme.

However, the light is not all that bright.  Another part of the decision was to clarify that national DPAs have complete freedom to decide if their laws are being complied with or not.  Which means that even with a new scheme in place and agreed to by the majority, a single DPA could still challenge standardised agreements if they felt national law was being infringed.

Of course all if this is also set to change again when the Data Protection Regulation gets finalised – and who knows what impact this decision will have on those negotiations. As for Max Schrems  and Facebook – their battle is also not yet over.  The decision on whether or not Facebook has actually breached EU law now goes back to Ireland’s Data Protection Commissioner due to the fact that Facebook’s EU operations are based there.

Suffice to say – we are a long way from hearing the end of this story.