Safe harbour decision rocks US tech giants

The Court of Justice of the European Union (CJEU) has ruled that the ‘safe harbour’ agreement on data transfers from the ?EU to the US is invalid. The decision will have ?a profound effect on major firms such as Facebook, Microsoft, and Google, which rely ?on the ‘streamlined and cost-effective’ ?method to acquire data from Europe.

The ruling arose following a complaint ?from Austrian privacy activist Max Schrems, ?who expressed concerns regarding Edward Snowden’s revelations about the National Surveillance Agency (NSA) data collection program PRISM. This allowed US intelligence agencies to access EU citizens’ data stored in the US, raising serious questions as to whether US companies were ensuring an ‘adequate level of protection of personal data’ under the safe harbour privacy principles.

In 2000, a European Commission decision allowed US firms to obtain and process EU data without breaking EU data protection rules (article 7 and article 47 of the Charter of Fundamental Rights of the EU and article 25(6) of EU Directive 95/46/EC) by annually self-certifying that they were adhering to the principles issued by the US Department of Commerce.

Since the inception of the US-EU safe harbour agreement, there have been growing concerns ?as to the adequacy of protection afforded to personal data in light of significant developments in how data is collected, processed, and used. When whistleblower and former CIA employee Edward Snowden leaked classified information about the NSA in June 2013, Schrems sought to challenge social media giant Facebook ?over its use of his personal information.

The law student applied for an audit of the data Facebook was passing to the NSA in Ireland, the location of Facebook’s European headquarters, but when the Office of the Irish Data Protection Commissioner (DPC) denied this on the basis of EU law and the commission decision, Schrems brought a case in the Irish High Court.

Judge Hogan agreed the Irish regulator was bound by the 2000 decision and did not have the authority to investigate the case. In referring the case to the CJEU, he submitted that the critical issue was whether the decision prevented the DPC from carrying out its own investigation when a third country did not ensure an adequate level of protection in light of the Snowden revelations.

The CJEU concluded that a commission decision ‘cannot eliminate or even reduce the powers available to the national supervisory authorities under the charter and the directive’. The court added: ‘Even if the commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive.’

The CJEU then declared the safe harbour decision as invalid with immediate effect ?because the commission could not find that the US ensured ‘a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the directive read in the light of the charter’. >>

No surprise ruling

The ruling will have come as a shock to more ?than 4,000 technology companies which rely on ?the US-EU pact to transfer data back to the States, but the decision should have come earlier according to Advocate General Bot, who gave the non-binding opinion prior to the CJEU ruling.

In November 2013, concerns from EU citizens about the impact of the Snowden revelations led ?to the commission issuing 13 recommendations ?on the functioning of safe harbour after finding ‘deficiencies in transparency and enforcement of ?the arrangement’. 

Then, in March 2014, the European Parliament adopted a resolution on the surveillance carried ?out by the NSA, in which members of the ?European Parliament called on the commission to immediately suspend the safe harbour principles.

Solicitor and managing director of Digital Law UK, Peter Wright, said the decision came as no surprise, owing to the arrangement of the agreement. 

‘In effect, the idea was that individual organisations would do a self-audit and comply with what safe harbour needs and do that on an annual basis, yet an awful lot of organisations didn’t actually reaccredit every 12 months as they were supposed to. When it comes to data storage and management, and in the last few years the advantage of the cloud and how data is transferred and stored, that’s very significant. Therefore, the idea that at some point Europe would take a look at this and say, “Can we trust it?” was always on the cards.’

Fallow period

There was no mention in the ruling of a grace period, so companies will have to act quickly in finding new ways to process and store user data, while national data protection authorities must also act swiftly to ensure the personal data of EU citizens is sufficiently protected.

Further pressure has been applied by the Article 29 Working Party, which will consider legal action against companies continuing to transfer EU individuals’ personal data to the US under safe harbour rules in the absence of a new agreement being reached between the EU and the US by the end of January.

Wright believes full guidance is needed by the international regulators and says organisations should take responsibility by ensuring they do everything they can to guarantee data and that self-audit procedures are complied with.

‘At the moment, we’re in a fallow period while we wait for some proper full guidance from the individual national regulators, guidance we need imminently from the information commissioner and which will officially say what organisations should be doing.’

Wright continued: ‘In the interim, it is going to ?be a matter for organisations to ask questions of organisations that are storing or transmitting ?their data, and in effect carry out security self-audit measures they should have been employing from the beginning.’ Wright also said organisations would have to think about the following: 

• Where is our data going and being stored?

• How is it being transmitted? 

• Do we need to encrypt it? 

• Will it be encrypted by our provider? 

• How long will the data be stored for? 

• How and when will it be returned to us? 

• What format will it be returned in?

• For what will it be used? and

• Who else could access it?

‘These are the sort of questions our own Data Protection Act asks,’ adds Wright. ‘Making sure organisations can satisfactorily answer these questions so that if there is a breach, the organisation can say it has done everything ?it possibly could have done to comply with ?what the legislation says.’

However, Thomas Eggar IT and commercial associate Daniel Hedley suggests that, despite ?the judgment, other gateways are available to transfer data.

‘The CJEU’s declaration that safe harbour is invalid will obviously have significant implications for any EU business which uses US-based cloud services or which otherwise processes personal data in the US. However, it is important to understand that it does not mean that personal data cannot be exported to the US for processing at all; simply that the most convenient legal gateway to doing so lawfully no longer exists.

‘Data protection law provides a number of other gateways to lawful export of personal data to a third country, such as data subject consent, standard form contracts and self-assessment, and the Commission has confirmed in its statement yesterday that those gateways remain available.’ 

Hedley adds that while in the long term the court’s judgment could also leave some of these gateways vulnerable to attack on similar grounds ?to safe harbour, in the short to medium term, they remain available.

Matthew Rogers is an editorial assistant at Solicitors Journal @sportslawmatt matthew.rogers@solicitorsjournal.co.uk