The EU’s strict data protection laws go beyond the protection available in many other parts of the world. The transfer of personal data outside the EU is tightly restricted. But for 15 years a ‘Safe Harbor’ has been available to permit data transfer to the US. In a decision that has sent shockwaves rippling through the digital world, a European court has declared the Safe Harbor invalid, exposing data-heavy organisations such as social media and e-commerce businesses to new risk and uncertainty.
What is the Safe Harbor?
The EU’s Data Protection laws impose controls on the transfer of personal data outside the EU. This is only allowed if the level of protection given to the data in the receiving country is assessed to be adequate.
In 2000, the EU Commission set up the Safe Harbor to permit the exchange of personal data between the EU and the US by ‘qualifying organisations'. They have to self-certify to the US Department of Commerce that they will adhere to principles for safe processing, such as notice to individuals and adequate security measures.
The Safe Harbor has increasingly been called into question in recent years, particularly in the light of increasing US surveillance as exposed by rogue CIA agent Edward Snowden. The German data protection authorities have taken a stricter approach, calling for data exporters to check whether the Safe Harbor principles are actually followed and that the recipient’s certification is still valid.
What was Max Schrems’s complaint?
Max Schrems is an Austrian privacy campaigner and long-time Facebook user. Facebook’s EU headquarters is in Ireland, and European users contract with Facebook Ireland when they join up. Their data may then be sent to Facebook Inc. in the US for processing on servers there. Schrems brought the case against the Irish Data Protection Commissioner complaining that the US did not ensure adequate protection of his personal data, particularly against government surveillance activities, and the regulator should investigate rather than relying on the protection of the Safe Harbor.
What did the European court decide?
The court agreed with Schrems. The Safe Harbor was invalid and the Irish regulator should go behind it and investigate his concerns about data transfer by Facebook.
Where does this leave us?
The risk to companies that rely on the Safe Harbor has increased, but data processors should take time to consider the implications. Despite calls from the European Parliament for immediate suspension of the Safe Harbor framework, we think it unlikely that EU data protection authorities will begin enforcement action over existing arrangements in the short term.
Businesses entering into new data transfer arrangements will need to review the position carefully and may need to bolster their agreements to include model clauses.
The EU is currently in the process of reforming the whole data protection framework, and as a part of that effort, is reviewing the Safe Harbor arrangements with the US. This ruling gives added impetus to that review, but it is unlikely to be completed overnight.
Meanwhile, the EU Commission has announced that it will work with national regulators to come up with new agreed guidelines. This is only the beginning, and we will know more over the coming days what the true impact of this case will be