twitter facebook rss

ECJ Says Safe Harbor Is Not So Safe

Posted by on October 8, 2015.

Screen Shot 2015-10-08 at 11.28.58 ‘A milestone’ or a ‘historical’ decision cry the media around the world. It is like a deluge of comments and articles. The Open Rights Group speaks of a ‘Landmark victory for Privacy rights’.

Like a bombshell, following the Advocat General Opinion, the ECJ decision this Tuesday 6 October 2015 held the Safe Harbor decision 2000 invalid. (C362-14)

Daniel Solove, amongst other commentators, gives a very clear background of the case.

in June 2013, the law PhD candidate and privacy advocate, Max Schrems*, asked the Irish Commissioner to prohibit Facebook from transfering his data To the U.S. . He reacted after a data subject request showed the amount of personal data that was collected from his Facebook account, including some deleted posts. His action was blocked by the Irish DPC refusing to investigate the complaint, on the basis that Facebook was protected by the European Commission Decision 2000/520 which set out the Safe Harbor privacy principles. So then, Schrems challenged the Safe Harbor, basically a self-accreditation, adequacy to EU data protection rights. in October 2013, Schrems went to the High Court of Ireland based on Edward Snowden US mass surveillance revelations and the lack of adequacy of data protection in the U.S. On June 2014. The High Court concluded that to continue allowing authorities to “access electronic communications on a casual and generalised basis without any objective justification” contravenes Arts 7 and 8 of the European Charter of Fundamental Rights. It therefore stayed the case while asking the ECJ to determine the legality of the Commission decisions on Safe Harbor and the investigation right of DPC.

Ultimately, the ECJ conceded that Safe Harbor was unable to guarantee adequate data protection to European citizens.

The ECJ, following the Advocat General opinion, invalidated the safe Harbor protection explicitly in view of the NSA I discriminated surveillance revelations by Edward Snowden, and the U.S. Patriot Act giving the U.S. Intelligence agencies access to the data of EU citizens. It decided very clearly that Data Protection authorities, based on the Article 28 of Directive 95/46 must always have the possibility to investigate, with complete independence, a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred.

The level of adequacy has to be balanced according to ‘the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.

However the ECJ found that,’Safe Harbor allows Law enforcement to access data beyond what is strictly necessary and proportionate‘. The court also found that the lack of judicial review for European citizen represents a serious flow.

WP art29 states : ‘For several years, the Working Party has been studying the impact of mass surveillance on international transfers and has on several occasions presented its concerns.
Today’s Court judgment confirms that due to in particular the existence of mass surveillance and the absence of possibility for an individual to pursue legal remedies in order to have access and to obtain rectification or erasure, serious questions exist regarding the continuity of the level of data protection when data are transferred to the United-States.

What’s next? No panic says Eduardo Ustaran of Hunton & Williams whom, along with Stewart Room from PwC have been warning on thightened privacy requirements. What are the options? One is the costly BCR or Binding Corporate Rules, that have never had much success. Another is Model contract Clauses.

Would these agreements give a much higher level of protection against the U.S. Surveillance? It’s not guaranteed. The issue might come more from ‘political’ considerations than ‘legal’. Some, such as Jules Polonetsky from the Future of Privacy Forum, argue they will suffer from a lack of transparency. Max Dautlich from the law firm Pinsent Mason develops his view on how BCR will not be an adequate option either. Daniel Solove and few others have pointed out that the EU itself, be it the recent French surveillance laws or the UK GCHQ surveillance, does not necessarily insure real privacy protection.

An ex French Minister, Michel Kouchner, recognised all countries spy on each other and their mutual citizens; however the U.S. interception of communications is on a larger scale. As I was told on Twitter, most of the state surveillance ‘get lost on translation’. Although state surveillance is not a new idea. It is a necessity even in democratic countries, but the general and systematic interception of foreign communications makes it questionable. Whatever next should be protecting the fundamental right to privacy of every citizen. That requires a significant change of law and practice of US surveillance. Article 25 of the Data Protection Directive 95/46/EC contains a set of data protection principles, the first two of which clearly state that personal data from European citizens can only be transferred to a third country outside the European Economic Area if the recipient territory provides an adequate level of protection for that data.

Data Protection authorities of many EU countries have started to issue official statements, along with the Article 29 Working Party (EU data protection authorities), and the U.S. Secretary of Commerce.

Those concerned by this invalidation of the Safe Harbor agreement include not only over 4000 companies that hold certification, mostly big Companies operating between EU and U.S., but also Every business handling data collected or processed based on the EU-US Safe Harbor become unlawful. There is a need to implement other alternatives. The future of cloud computing and social media depends on this.

From a legal perspective, the decision is only as strong as its enforcement. Here is the FTC statement.

This decision comes at the same time as the French data protection authority is having an arm-wrestling match with Google to apply The European regulations to their worldwide activities, in particular the wrongly called ‘Right to be Forgotten‘ after another recent landmark decision by ECJ.

*French Newspaper Le Monde gives a background on the personality of Max Schrems and his motivations.

Everything you’ll need to learn about the Safe Harbor is curated on these Pearltrees that will be kept updated. Accessing from a mobile device will require to download the free application. Come back for updates especially as the EU General Data Protection Regulation is on the agenda.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, News, News_legal, News_privacy, News_surveillance, Security, Tara Taubman-Barissian | Tags: , , , ,