First, there is no legal advice in this blog post (there never is) … just a little bit of reporting.
The Court of Justice of the European Union on October 6 ruled that the European Union-United States “Safe Harbor” Agreement, operating since 2000, was no longer valid. The “Safe Harbor” had enabled cross-border data flows regarding EU citizens to the United States because the U.S. was deemed to have inadequate privacy protections under the EU Data Protection Directive of 1995 (which took effect in 1998). The “Safe Harbor” provided needed protection cover. That is no longer the case.
In its decision, the Court also ruled that individual data protection authorities in 28 EU member states have new powers to deem any cross-border data transfer mechanism as non-EU regulation compliant — even if the European Commission may feel otherwise.
According to a recent Webinar (October 9), the nullification of the Safe Harbor affects more than 4,000 U.S. companies alone that have relied on it. While the Court reportedly wants data to continue to flow between the world’s two largest markets, it sees an immediate need for a new level set of privacy protection in the United States, and is committed to providing guidance as soon as possible as to how such protections can be afforded and data flows and data processing reinstated. The rub is not with U.S. companies per se – the trouble originates with U.S. government surveillance and law enforcement agencies in the wake of Edward Snowden’s 2013 revelations.
As one Professor wrote:
The Court reiterates even more clearly that mass surveillance is inherently a problem, regardless of the safeguards in place to limit its abuse. Indeed, as noted already, the Court ruled that mass surveillance of the content of communications breaches the essence of the right to privacy and so cannot be justified at all. (Surveillance of content which is targeted on suspected criminal activities or security threats is clearly justifiable, however).
—Ars Technica, Oct. 15, 2015
In the wake of the decision, privacy advocates reportedly have given three months for a new U.S. and EU “Safe Harbor 2.0” agreement. Otherwise, they will seek coordinated action by EU data protection commissioners against individual companies operating under the previous Safe Harbor, which again is immediately invalid. Alternatively, businesses are left to model contract clauses or binding agreements with national data protection authorities — not challenged by the court’s decision — to maintain (where present) or reinstate (where newly concluded) personal data flows outside the EU. Risk assessors must be busy.
U.S. and European governments have been working on a new Safe Harbor 2.0 for at least two years, according to Andrea Glorioso, counselor, digital economy/cyber, Delegation of the European Union to the United States. No one is certain when such a revised Safe Harbor agreement may be finalized, but, given the ramifications of the EU court’s decision, it’s in no one’s interest to let this carry on for long.
And a little bit of opinion: Mass surveillance by government and law enforcement — to combat crime and terrorism, for example — and responsible data collection and use by the private sector in the pursuit of economic growth are not the same subject, and should not be linked. Let’s hope a new Safe Harbor will differentiate the two — and not just for Europeans. It’s not as if American citizens are free from worry about what European governments may be up to, and that’s a concern that extends inside our own borders, too.