Storm in a Port - the distinctly unsafe US Safe Harbour for personal data
Storm in a Port - the distinctly unsafe US Safe Harbour for personal data
Data Protection Alert: Storm in a Port – the Safe Harbour Decision is held to be unsafe by the ECJ
Europeans (and people in other countries too) have little protection against civil liberties abuse by US authorities. As most of the largest Internet companies are US based, EU authorities have little control as to how the data of EU citizens is being used when it leaves Europe. This judgment is a good decision in an area where EU politicians were well aware of the issues with the US but have failed to tackle it head-on. The impact on e-commerce and cross-border business is likely to be far reaching unless political will leads to action.
Reports of the US government’s internet surveillance programme ‘PRISM’, which reportedly permits the National Security Agency (NSA) to collect and monitor huge amounts of personal information from internet companies including Google, Facebook and Apple, was made public in 2013 and this prompted outrage across Europe.
As most of the major e-commerce companies in the world are US headquartered and based this has meant that their data infrastructure, and particularly their cloud infrastructure has been driven by data transfer between Europe and the USA.
On Tuesday 6th October, the ECJ held that the Safe Harbour Agreement is invalid. Safe Harbour (spelt Safe Harbor in the US) is a European Commission Decision approved data transfer process made in 2000 pursuant to the Data Protection Directive, it is one of the EU approved methods that intended to ensure that EU citizens’ personal data transferred to the US was afforded an adequate level of protection despite the US not offering the same level of data protection.
As many people have noted the revelations by Edward Snowden about wide-spread communications monitoring by the NSA brought into sharp relief the lack of protection for European’s data when it leaves European shores.
The EU authorities have known for a long time that US law specifically discriminates against non-Americans in a way that guarantees Europeans have little effective data protection rights against the US government once data is held in the USA. However, they largely chose to ignore the issue, this can be witnessed by the lack of discussion and remedies put forward during the passage of the proposed new Data Protection Regulation.
Protection from unwarranted spying and misuse of personal data by government authorities will require political will for a radical re-assessment of the relationship between citizen and State in addition to the EU/US legal relationship. It will need more serious measures including a requirement that European personal data cannot be automatically transferred outside of the EU, without fair reliance on an exception.
We require a new EU approved process that ensures the need for interaction with European law and rights of remedy for EU citizens once data leaves Europe. With this decision, and the impact it will have on US e-commerce companies, the pressure is also building for a more radical re-think of the relationship between US law as it applies to persons that are not US citizens.
In the meantime, in order for e-commerce and cross-border business to go forward, US e-commerce businesses are going to have to consider whether they can rely on legal exceptions (such as consent or necessity) or if they will need to consider alternative technical solutions. Technical solutions could allow for a territorial structure of data segregation that allows users to choose whether they want their data going outside of Europe (particularly for Facebook, Google etc.)- alternatively they may need to look at much stronger data encryption in the cloud (e.g. using a technical system whereby European’s personal data can only be decrypted by US authorities pursuant to European law and European court order).
This ruling of course impacts a much wider group of companies than just e-commerce businesses. All international businesses that routinely transfer their data to US group companies and outsourced partners will now have to re-consider whether they can rely on any of the processes permitted under the Data Protection Directive to the transfer of data to the US despite US law clearly not providing suitable protection for Europeans, or find another way to legitimise such transfer.
This judgment is a strong decision in an area where EU politicians were well aware of the issues but have largely avoided tackling them. Perhaps now with the threat to their international businesses the US will find the necessary motivation to engage on these issues.
What is “Safe Harbour” ?
The “Safe Harbour” approach was validated in the European Commission’s decision 2000/520/EC (“Decision”), made under powers given to the Commission in the Data Protection Directive of 1995 (“Directive”).
The Directive elaborates the principles that have to be applied in the EEA to ensure an individual’s right to privacy further to Article 8 of the European Convention on Human Rights and Fundamental Freedoms. The Directive states that where personal data is to be transferred outside of the EEA, the onus is on the data controller to ensure that the data is afforded an adequate level of protection in the country it is being transferred to.
As a result of conflicting privacy laws between the US and the EU, the European Commission agreed the “Safe Harbour Agreement” with the US Department of Commerce. The Decision meant that there was then no need for EU data controllers to look into the adequacy of the US companies’ protection of data, provided the US company publicly declared that they had signed up to the Decision and adhered to its principles (which are similar to those of the Directive). This voluntary declaration led to a presumption that protection of personal data was adequate.
The Decision allowed for exceptions where the principles of safe harbour could be overridden, namely national security, public interest, or law enforcement requirements, but conversely Article 3 of the Decision gave the European Commission the power to suspend or revoke the Decision where a breach had or was thought to have occurred.
Firstly, the PRISM case, in which Edward Snowden revealed that EU citizens’ data had been part of a mass surveillance programme, and that the companies involved appeared to be Safe Harbour signatories.
This case led the European Commission to undertake a review of the agreement in the interest of not damaging trade and relations between the EU and the US, notwithstanding its powers to suspend or revoke the Agreement under Article 3. In its conclusions it made recommendations for 13 improvements, which were to be implemented by the US by summer 2014. The review found that problems lay in the self-certification and lack of enforcement: “improvements had to be made to that decision regarding structure shortcomings related to transparency and enforcement, the substantive Safe Harbour principles and the operation of the national security exception”.
Secondly, on the back of the Snowden revelations, an Austrian student, Maximillian Schrems complained to the Irish Data Protection Commissioner that his data held by Facebook was not adequately protected in the US, and therefore his right to privacy under the ECHR would be breached. The reason for the complaint being made to the Irish DPC is that Facebook Ireland Ltd is the main European establishment for Facebook.
The Irish DPC had refused to investigate the complaint on the basis that Facebook Inc. were signed up to the Safe Harbour Agreement and therefore no further investigation was necessary.
In order for the case to be determined, the Irish High Court referred two questions to the ECJ:
1. Can national data protection authorities conduct their own investigation of relevant data flows?
2. Are national data authorities bound by the Decision?
ECJ decision and reasoning
- National data protection authorities can investigate complaints notwithstanding a European Commission decision such as the Decision; and
- The Decision is invalid as it did not “ensure” that the protections afforded were adequate.
The ECJ found that if the complainant is contesting the compatibility of a Commission decision with the protection of an individual’s privacy and fundamental freedoms, then that national authority must investigate the claim with all due diligence. Also, the fact that the Commission has adopted a decision regarding the adequacy of a third country’s protection of data, does not prevent a supervisory authority from investigating a complaint, where the complainant alleges that the law and practices of that third country do not provide an adequate level of protection.
In finding that the Decision is invalid, it was stated that the Commission had not determined, as was required by the Directive, that “the third country concerned in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order”.
The Court found that the Commission had not “ensured” that the US, by reason of its domestic law or its international commitments, provided such level of protection. On the contrary, the national security exception, which permitted public authorities to have access on a generalised basis to the content of electronic communications had to be regarded as compromising the fundamental right to respect for private life. Under the Decision, data was capable of being processed in a way that was incompatible with the purposes for which it had been transferred, beyond what was strictly necessary and proportionate to the interests of national security.
Comment was also made on the lack of administrative or judicial means of redress for EU citizens wishing to access their data or have the same rectified or erased.
Now that the Safe Harbour seal of approval has been invalidated, companies transferring personal data to the US will have to seriously consider what to do with the data that is currently stored in the US, as well as new data that is to be transferred.
Data controllers in the EU may be able to satisfy themselves as to the adequacy of the processing at the destination company in the US, the fact remains that US law is in conflict with that in the EU, and US public authorities can call on those US companies to make their data available for reasons and in a manner that is unlawful under European law.
Additional alternative measures that are available for data transfers outside of Europe included:
● The Article 29 Working Party’s “Binding Corporate Rules” for trans-atlantic data transfers between organisations. This applies to multi national organisations transferring information outside the EEA, but within their group entities. The rules if used are binding on all companies within the multi national organisation, and must have been approved by the relevant European data protection authorities in order to transfer personal data freely within the organisation. The rules create rights for individuals which can be used before a court and data protection authorities, and obligations for the company;
● “Model clauses”, which are standard contractual clauses to include in contracts with business partners, affiliates and service providers developed by the European Commission, and approved as providing an adequate level of protection. There are 4 sets of standard clauses, two of which apply for transfers between data controllers, and two apply for transfers between controller and processor. If a set of clauses is used in its entirety in a contract, then the controller does not need to make its own assessment of adequacy.
However, clearly if Safe Harbour is not deemed to provide suitable protections then neither can Binding Corporate Rules or model clauses now offer suitable protection - for the same reasons related to the primacy and deficiency of US law in respect of European personal data once data is in the US.
This means that data transfers to the US will now require use of one of the following exceptions to the prohibition on transfer to territories that do not have adequate data protection laws:
• where unambiguous consent is given;
• where the transfer is necessary in relation to a contract or a legal claim;
• where protection of an important public interest so requires (for example in cases of international transfers of data between tax or customs administrations or between services competent for social security matters);
• where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest;
In addition to the major issues involving cross-border cloud based computing architecture, the international nature of business means that personal data is routinely transferred outside of the EU (including to the US) for a number of reasons, whether it be that large US companies have subsidiary companies in the EU that need to transfer data back to the parent company, or EU companies that outsource certain functions of their business to the US. The Decision had applied a blanket seal of approval to the transfer of data to the US, provided the receiving US recipient was a self-certified “Safe Harbour” provider.
Businesses frequently use contractual clauses to gain customer consent to the transfer to third countries (including the US). The consent must be given clearly and freely, and can be withdrawn at any time. The consent given must also be informed, and any risks involved in the transfer must be spelt out to the individual at the time. Consent is not deemed valid if the individual has no choice but to give the consent.
Given the far reaching net of US surveillance, and the absolute nature of the US legislation, obtaining blanket consent to the transfer without offering Europeans the choice to keep their data in Europe, where practicable, does not appear to be a reasonable long-term response to this issue. In addition, relying on consent alone may subsequently prove to be unlawful given the great legal complexities involved in anyone being able to genuinely understand the risks of giving such consent due to the complexities of US law and the lack of remedies for unlawful US monitoring.
Whilst companies affected will be afforded some grace period to ensure their data transfer is lawful, it is likely that big US companies and service providers will shortly be contacted by European data authorities asking for detail on how they are legitimising their data transfers and storage in the US. Big companies may have alternative plans in place already, however smaller and medium sized enterprises will have a lot of work to do to address the issue. There are approximately 4000 companies signed up to the Safe Harbour Agreement.
As well as working out how to legitimately transfer their data, companies now also face the threat of data campaigners such as Maximillian Schrems, targeting companies by requesting information on how they protect their data. National data protection authorities will be bound to investigate complaints, and for the companies being investigated there will be a concern for the PR damage it could cause.
In the short term, immediate technical solutions are required to deal with some of these issues, however we also quickly need legal and political solutions to avoid a major detrimental impact on international business and ecommerce. It is hoped that the on-going, but so far unsuccessful, talks between the US and EU for Safe Harbour 2.0 will now be fast tracked.
Michael Beckerman, the Internet Association’s President said in a statement:
"In light of this far reaching European Court of Justice ruling, the Internet Association calls on the US and EU to join forces to implement a revised Safe Harbour framework and to issue interim guidance to stakeholders pending this implementation."
Peter Howitt Jessica Calvert Aaron Carpenter
Director Senior Associate Director
Tel: +350 200 68450 / +44 161 914 9785
This article is for information purposes only. Any opinion, statement or information expressed above is not intended as legal advice and should not be relied upon as such. If you would like legal advice please contact us. We are qualified to provide legal advice on English, Gibraltar and European law.
If you contact us and provide your personal details we will use them to respond to you. If you request to be added to the mailing list we will do so. You can change your mind at any time and we will remove you from the mailing list and add you to a do not contact list if you wish. Simple really.
You can contact us at firstname.lastname@example.org if you would like more information about the information we may retain related to you (e.g. on our databases) or if you have any concerns or complaints.
Ramparts is a European law firm based in Gibraltar. We are qualified to provide legal advice on English, Gibraltar and European law.
Thanks for your time.
The Ramparts Team
Ramparts is the trading name of Rampart Corporate Advisors Limited, Company registration No. 107531. Registered Office: G5 Cornwall's Centre, Cornwall's Lane, Gibraltar. Tel: +350 200 68450.