Reasons Why The US-EU Safe Harbor Was Struck Down
On October 6 2015, the Safe Harbor privacy pact between the European Union and the United States was invalidated by the European Court of Justice (ECJ). Originally formulated to ensure stringent and careful transfer of personal data, the Safe Harbor agreement was turned into a free-for-all agreement.
How The Case Began
In 2013, through the Guardian, Edward Snowden revealed to journalists critical and shocking information on how the US National Security Agency (NSA) had massive access to data held in telecomm companies and big internet servers in the United States, against the Safe Harbor agreement provisions. These revelations sparked increased concerns that the U.S. government was using the stored data for surveillance, an activity that was deemed illegal in the European Union. This was also coupled with a series of court cases that eventually led to nullification of the agreement.
As a result of the Snowden revelations, an Austrian Lawyer, Maximilian Schrems, took social media giant Facebook to court citing violation of his privacy and unlawfully retaining his data in the United States, including material he had deleted from his account. Through the Irish Data Protection Authority, Schrems argued that the surveillance activities did not adequately protect EU citizen data that was being transferred to other countries.
Reasons Cited For Strike-Down
After careful deliberations and analysis of evidence, the ECJ declared the Safe Harbor Agreement invalid. This was due to a number of reasons.
No Means Of Redress
According to the ECJ, the Safe Harbor lacked the essential assurance of protection and the implementation did not meet the requirements of the EU Data Protection Directive. This verdict was based on the fact that the United States allowed large-scale collection and transfer of personal data without efficient judicial protection for European citizens or no means of redress.
Large-Scale Access By Intelligence Agencies Raised Questions
In his allegations, Snowden accused the NSA Prism program of gaining unrestricted access to personal data, consequently infringing on personal space. Although the United States tried defending itself on this matter through several means including an online article, the court still found reason to render the Safe Harbor Agreement invalid.
Based on the conclusions by the European Union that there was large scale access by intelligence agencies to data transferred to the US by Safe Harbor certified companies, the ECJ indicated that these activities raised more serious questions. The court stated that the continuity of data protection rights on Europeans after their data was transferred to the US was uncertain.
The ECJ found out that a great number of certified companies did not partly or fully comply with the Data Protection Principle. This was after a clear assessment that points 3-5 and 8 of Communication COM 847 were not adhered to in practice.
Reactions To The Court Verdict
Maximilian Schrems, whose case against Facebook was dismissed on grounds that the Safe Harbor agreement governed and allowed such data flow, was one of the people who responded to the ECJ ruling. His first response stated that the ruling drew a clear line, clarifying that the mass surveillance violated human rights. He also went ahead and said he welcomed the court ruling and hoped that it would be a milestone in guaranteeing online privacy. He added that reasonable redress must be possible.
Schrems also said that the decision clearly highlighted the fact that businesses and governments should understand and adhere to citizens’ right to privacy by abiding and enforcing the laws that protect citizen privacy.
Schrems seemed elated by the fact that this court verdict was a major blow to U.S. global surveillance, which usually relies on private partners who can’t aid the US government violate the rights of European citizens anymore. He concluded by giving a ray of hope to affected companies, reiterating that there were other options companies would use. They involve individual personal data transfer reviews in accordance with relevant country’s laws as opposed to the blanket cover that the Safe Harbor agreement offered.
Based on the judgment, the different EU member states will now individually implement their own data transfer laws and conduct oversight on their own, using their own data protection authorities. This means that in future, U.S. companies seeking to collect and transfer data from multiple EU states will have to comply with the different individual national data privacy laws. This verdict also means that EU member states now have the ability to immediately suspend unlawful data transfer previously conducted in the Safe Harbor agreement.
Actions Companies Should Now Consider
According to Brian J. McGinnis, an attorney with Barnes & Thornburg LLP, the next course of action for affected companies is quite unclear. He however advises companies to find alternatives to the US-EU Safe Harbor as quickly as possible. He also cautions that companies that hesitate to find the next best course of action will unknowingly find themselves breaking a number of EU regulations, probably sending them to legal battles that could have been avoided. Additionally, these companies could find themselves subject to enforcement by European authorities for violation of stipulated data protection regulations, or unable to enter into new agreements with prospective European partners.
To effectively adjust in the new legal landscape, Brian advises companies to first identify and prioritize their most critical data transfers. This should be followed by attaining or re-attaining compliance through contract and agreement amendments. Alternatively, other valid compliance means could be sought.
Companies will now have to individually and clearly scrutinize contracts on a case-by-case and country-by-country basis to ensure that they are not on the wrong side of the law. Lack of a blanket solution will also mean that these companies will have stay informed on legal developments in each area and ensure that they fully comply.
Striking down the US-EU Safe Harbor was a necessary step to ensure that US companies operated in an acceptable manner and EU countries felt that their personal data was safe. To arrive at an amicable and workable solution, the cited reasons should be addressed in order to produce an even better Safe Harbor 2.0.
Image Courtesy: Rawich, Freedigialphotos.net