The Safe Harbor Agreement is an U.S. – EU agreement between the European Commission and the United States Department of Commerce by virtue of which a Safe Harbor list is open for U.S. organizations. Once businesses meet the conditions and join the list, their European operations are considered compliant with the European Data Protection Directive, therefore such enterprises are allowed to transfer personal data to their U.S. databases.
Such an agreement was necessary because of another European act dating back to 1998 (EU Directive 95/46/EC, adopted in 1995, transposed into national law by 1998). The European Commission’s Directive on Data Protection banned “the transfer of personal data to non-#european union countries that do not meet the European Union (EU) ‘adequacy’ standard for #privacy protection”. The EU approved the Safe Harbor Agreement in July 2000, making it possible for the American companies to comply with the European regulations regarding privacy.
The NSA surveillance incident in 2008 affected this agreement and created a trust issue. The European Parliament therefore suspended the Safe Harbor in March 2014, but this action requires the endorsement of the EU Commission – as the European organism dealing with any reform, renegotiation or annulment of this act on the European side.
The Commission had previously ensued a reform proposal in what concerns the right to be forgotten (considering this European standard and making the necessary changes accordingly to the original Safe Harbor Agreement), but this has not been turned into a regulation by the Parliament and Council.
Due to this mutual lack of coordination between the European institutions, the SH Agreement remained a valid instrument for 15 years, serving American organizations who conduct operations in Europe.
Safe Harbor Agreement and the Schrem decision
However, another European institution was called in on this matter. A 27 years old Austrian citizen and Law student, Max Schrems, challenged the Safe Harbor Agreement to the Irish High Court, which decided the case fell into the Court of Justice of the European Union (CJEU) jurisdiction and subsequently referred the Schrems case to this institution.
What is the case all about? Maximilian Schrems joined Facebook in 2008 and had to sign an agreement with Facebook Ireland in regard with his private data. Because of how cloud computing works, and since Facebook is an American company, Schrems assumed his data would actually end up (or might theoretically end up) on American soil, therefore be prone to NSA activities under the “PRISM” provisions. This potential consequence would violate the Charter of Fundamental Rights of the European Union – argues Schrem.
In March 2015 the arguments took place in front of the CJEU, and on September 23 the case Advocate General expressed his opinion. The decision was due October 6 2015. This decision had a worrisome expectancy, because Yves Bot’s non-binding opinion found that the SH Framework did not a-priori established that U.S. data protection is always adequate and, furthermore, that in fact the SH Agreement offers inadequate data protection.
Let’s see how the CJEU decision compares to the Advocate General opinion and what its #effects are. The first reports from 6 October indicated that SH Agreement has been deemed invalid by the Court – the Irish Data Protection authority received the authority to determine the solution for Mr. Schrem’s case.
The decision itself can be accessed here.
NYTimes immediately considered the CJEU decision’s possible effect and wondered how would affected U.S. companies might immediately comply with what is already deemed “the invalidation” of the American – European data pact.
Possible effects of Safe Harbor Agreement invalidation
The CJEU decision is not a positive answer to the statement issued on September 28 by the United States Mission to the European Union – the U.S. Mission strongly supported the SH Framework and refuted the Advocate General’s allegations.
The SH Agreement invalidation is interpreted as turning all data transfers across the Atlantic made by U.S. enterprises into illegal transfers under EU law.
Although the effects of such a decision may not be immediately enforced, the fact that Maximilian Schrems is an activist might change the rapidity of the ensuing effects – he or other privacy activists might seek injunction ways of blocking European data exports.
The immediate effect is a jurisdictional one – upon request, national data protection regulators may now review how the SH companies use their data sharing privileges and issue limitations when there is plausible belief that the data privacy insufficiently protected.
Also, European privacy watchdogs might be given a more important role in the European – American data privacy matter.
As a countermeasure, the American companies dealing in Europe could store their European customers’ data only in their data centers located on European territory.
The biggest estimated impact regards the U.S. B2B providers that have operations in Europe – exporting European data for U.S. processing no longer falls under the protection of an un-challengeable act.
Examples of concerned parties are: B2B organizations that deal with cloud data storage (and use American databases), global companies that have their HR managing departments located in the U.S., online retailers that process European data in their U.S. facilities and any other businesses that work with data “imported” from Europe.
As WSJ states, currently around 4500 companies are relying on the SH pact for their operations, ranging from famous organizations like Facebook, Apple or Google to many smaller tech and other types of activity firms. All these companies might stand a disturbance of their activities because of the recent CJEU decision.
Mitigation modalities for B2B organizations
An article we previously quoted takes into consideration the preventive changes that enterprises (“data controllers”) confronted with the Schrems decision potential effects might make:
- Invoking “derogation” cases that may apply to the data transfers in accordance with the original 1995 EU Data Protection Directive;
- Employing model clauses – noted as the most obvious solution to this situation;
- Modifying the data format so that anonymity is ensured, thus avoiding personal/individual privacy issues;
- Using Binding Corporate Rules to deal with all global transfers – although this would take time and money, it is an overall solution and it provides ease of operation once installed.
Credit card processing and social network communications are facing an unclear status following the EU Decision, since it would be very difficult to determine which element falls under a certain jurisdiction. A person’s citizenship does not necessarily extend over its banking accounts nor over the information he or she posts on the Web – if this information is replicated by his connections.
Another example of suggested plan of action (coming from an international legal practice firm) recommends, among other measures:
- Submitting all data to an assessment in view of the new rules;
- Prioritizing key transfers over the less important ones;
- Considering an ad-interim contractual solution for all the entities involved in transatlantic data transfer.
Smaller businesses (like small cloud service providers) and small startups are in a harder place – at least at first sight. They will have to invest more in avoiding liability and in working with or around the new boundaries enforced by the European #ruling. Bigger companies have more means of finding a new safe spot for their operations – but, on the other hand, they might present more of an attraction when it comes to lawsuits based on the newly created situation.
We will be reading a lot about Internet disconnection, a double set of regulations, data bifurcation, commercial disruption and so on.
Another possible consequence would be a new SH agreement – the sooner, the better for all the U.S. based operations. Nevertheless, even if Safe Harbor Agreement II would be chosen as a course of action, negotiations will take a while and would probably be conducted having in mind the ECJ stand on the matter.
At the end of the day, the 2015 decision may be construed as a very severe reminder of how important responsibility and firmness are when it comes to privacy protection and cyber-security.
