storm 2012-07-30
The recent invalidation of Safe Harbour between the European Union and United States is being hailed as a victory by privacy advocates and a major step backwards by online businesses. Safe Harbour, a framework that previously allowed the transfer of personal data between the US and EU, was struck down by the European Union’s Court of Justice (CJEU). Since then, many data transfers between the two continents have been deemed illegal.

That means personal data held by Google, Facebook, Apple, and any other multinational company can no longer be moved from computers and servers in Europe to servers in the US or vice versa under the Safe Harbour framework. Ecommerce and cloud storage companies can also be affected. The court ruled that mass surveillance performed by the US National Security Agency (NSA) rendered data protection by these companies inadequate.

But how long will it last? The Article 29 Data Protection Working Party, an EU advisory body composed of representatives from respective countries’ national data protection authorities, gave the US a grace period to renegotiate the Safe Harbour framework. That means no more mass surveillance of EU citizens and companies by the NSA, among other restrictions. After January 2016, online businesses operating across the Atlantic will be cut off unless an agreement is reached.

In case you need a refresher, here’s a review of the major forces in play (not comprehensive):

  • CJEU: The European Union Court of Justice reviews the legality of acts in the European Union and assures everyone is abiding by treaties. It usually makes laws uniform across all member states, although in this case it did the opposite by allowing DPAs to challenge Safe Harbour on a case-by-case and country-by-country basis.
  • DPAs: Data Protection Authorities are national agencies that can investigate claims of malfeasance. In this case, that means they can investigate whether or not the NSA broke any privacy laws, thus providing the grounds to ban data transfers between the EU and US.
  • Max Schrems: The spark that set Safe Harbour ablaze, Max Schrems is the Austrian privacy activist whose lawsuit against his Facebook data being transferred from Irish to US servers became the cornerstone of the CJEU’s ruling.
  • Data Protection Commissioner: The commission that originally granted Safe Harbour status to the US. The CJEU invalidated the Commission’s ruling, effectively abolishing Safe Harbour between the EU and US.
  • United States government: On many levels, the US will have to both draw back its surveillance programs and renegotiate the terms of data transfers to and from Europe. That means getting the go-ahead from the President and possibly Congress, not to mention compliance from the NSA. Major agencies involved include the State Department and the Federal Trade Commission.

Some relevant documents (again, not comprehensive):

  • Article 29 Data Protection Working Party: An EU advisory body on data protection composed of representatives of the national data protection authorities (DPAs). Article 29 WP lays out the next steps for how to handle the CJEU’s decision.
  • CJEU ruling: In Max Schrems versus the Data Protection Commissioner, the CJEU ruled the High Court of Ireland has the authority to investigate whether Schrems’ data was adequately protected from the NSA, thereby invalidating the United States’ Safe Harbour status (Safe Harbour previously prevented such investigations by DPAs). Even though it only directly affects US-EU data transfers, the ruling set the precedent for other countries to do the same, effectively negating Safe Harbour and forcing businesses to resort to model clauses.
  • GDPR: The not-yet-adopted General Data Protection Regulation will replace the current data protection law by 2017. Among its many functions, it will expand the law to cover internet companies outside the EU, assigns a DPA to each company, makes companies more accountable for privacy and security, and forces multinational companies to appoint Data Protection Officers to ensure compliance.
  • Directive 95/46/EC of the European Parliament and of the Council: The EU’s current data protection law that will be replaced by the GDPR.
  • EU Charter of Fundamental Rights: A list of rights for every EU citizen protected under the law. Article 8 deals with the protection of and access to personal data.

Businesses can still utilize model clauses as a workaround in lieu of Safe Harbour until January 2016, which is the cutoff date laid out in Article 29 WP for the US to comply with or renegotiate Safe Harbour standards. Model clauses, or model contracts, provide the terms of sufficient safeguards similar to those in Safe Harbour.

But even prior to January, transferring data is risky. Model clauses, binding corporate rules, and other workarounds are under review by the Article 29 Working Party and could be invalidated just like Safe Harbour. They were enforced by the same Data Commission that the CJEU overruled in the Schrems case. Furthermore, DPAs can still investigate complaints on a case-by-case basis and deem transfers illegal even before the January deadline. As one analyst put it, a model clause is a “chocolate teapot”–a flimsy mechanism mainly used to keep up appearances–with an expiration date.

Fearing the worst, multinationals are already on the move to avoid getting burned. Google, for instance, allows Google Apps customers to opt into a data processing amendment and model contract clauses to evade any fallout. Facebook announced it will attempt to voice its case at the Ireland High Court, arguing it has complied with Safe Harbour standards and did not allow backdoor access to US authorities. A ruling by the High Court of Ireland is expected in November.

Update: Facebook will not be joining the proceedings, however a court decision could be delayed by a very long investigation into Schrem’s complaint by the Irish Data Protection Commissioner.

The EU and US have been negotiating new data protection terms since Edward Snowden blew the whistle on the NSA’s mass surveillance programs in 2012. Officials were not able to reach an agreement that would effectively replace Safe Harbour before the CJEU’s ruling invalidated it earlier this month. Now the clock is ticking, with three months left to come to a consensus. The new arrangement will probably have to be compatible with the GDPR.

Failing to do so would be detrimental to many multinational internet companies. All the model clauses, binding corporate rules, and data processing amendments meant to protect transfers of personal data will stand little chance under the scrutiny of a European court. The odds of this outcome seem low, however. A spotlight turned on the subject combined with a surge of lobbying dollars spent on an end result that serves businesses will likely expedite the process.

For economic reasons above all else, Safe Harbour is likely to make a comeback, though possibly under a different name. Despite the attention from media and activists, lobbying forces during negotiations could water down privacy concerns. Ideally, the EU could force the hand of the United States to draw back its mass surveillance programs, succeeding on the behalf of businesses where the interests of individuals failed.

Storm 2012-07-30” by Jan-Erik Finnberg licensed under  CC BY 2.0