Safe Harbour Deal Thrown Out In Major Blow To US Tech Firms
The Safe Harbour data-sharing agreement between Europe and the US is dead – and Facebook is now waiting to discover whether it will have to suspend its transatlantic data transfers as a result.
The European Court of Justice this morning decided to go along with last month’s opinion from advocate general Yves Bot and declare the 15-year-old deal invalid.
And the move will have enormous implications for the likes of Facebook, Amazon and Google, who may now be forced to set up separate European servers to handle their customers’ personal data.
Safe Harbour dates back to 2000, and covers the transfer of commercial data between the EU and the US. It allows US companies to transfer personal data across the Atlantic, as long as they self-certify themselves as meeting certain rules on privacy.
But in light of Edward Snowden’s revelations about mass surveillance by the NSA, Austrian law student Max Shrems took the Irish Data Protection Commissioner, which regulates Facebook in Europe, to court, arguing that his personal data was not receiving the protection that it should.
And because the data transfer was protected by Safe Harbour, the case was referred to the ECJ – which has now concluded that the deal is invalid, as the US won’t guarantee the privacy of personal data.
The consequences could be enormous. Instead of relying on Safe Harbour, US companies will almost certainly be forced to draw up individual contracts, setting out their privacy guarantees.
“A transfer of data is permissible if the data subject consents to the transfer; however this can be incredibly cumbersome to implement, given that the consent must be explicit and apply to each and every transfer, which is unsuitable for continuous data accessing or streaming ,” says data protection expert Stuart Buglass, VP at consultancy Radius.
“Although by no means ideal, there is another option – the use of a data transfer agreement. The transfer agreement must comply with the EU Commission model clauses and contractually binds the US receiver to the same EU data privacy standards and liabilities as apply to the EU data controller. Obviously introducing new contractual undertakings to existing supply chains won’t be easy, but given the decision by the ECJ today we can see no other realistic option.”
Whatever happens, though, the shift will mean a great deal more bureaucracy, driving up costs and slowing down business. The decision also opens the door for individual European nations to impose their own rules, fragmenting US companies’ operations in Europe.
The Irish regulator now has to decide whether to suspend Facebook’s EU-US data transfers until the company can satisfy regulators. But while giants such as Facebook and Amazon should be able to manage this within a reasonable time-frame as they already have substantial European operations, there will be big problems for many of the other 4,500 companies that currently operate under Safe Harbour.
“The biggest casualties will not be companies like Google and Facebook because they already have significant data centre infrastructure in countries like the Republic of Ireland, it will be medium-sized, data-heavy tech companies that don’t have the resources to react to this decision,” says Mike Weston, CEO of data science consultancy Profusion. “Many of these businesses will reconsider how and whether they operate in Europe, which is bad news for everyone.”
Christopher Jeffery, Head of UK IT, telecoms and competition at international law firm Taylor Wessing says he expects many national regulators, such as the UK and Ireland, to give companies time to adapt.
However, he adds: “In countries like Germany where Safe Harbour has long been regarded with suspicion the regulators may not be so generous – they may feel concerns about Safe Harbour have been well-flagged and so businesses should have made alternative arrangements by now.”
This is not a view shared by Brian Hengesbaugh, now at law firm Baker & McKenzie, who was the lead attorney for the US Department of Commerce during the original Safe Harbour negotiations.
He tells me: “The European Court of Justice’s adoption of the advocate general’s views on the US-EU Safe Harbour Arrangement lowers the protections afforded to personal data of European citizens, burdens businesses on both sides of the Atlantic, and undermines the authority of the European Commission to make ‘adequacy’ determinations for privacy regimes.”
There’s probably an element of sabre-rattling about the decision, given that the EU and US have spent the last few months negotiating over a new ‘Safe Harbour 2.0′ deal. If so, though, it’s a risky strategy. In the event that the US decided to retaliate and introduce its own set of data standards and requirements, European companies could be in big trouble.
One way forward would be for new deals to echo a recently-struck Umbrella Agreement between the EU and the US that covers the exchange of data related to criminal activities, and allow a national security exception to the privacy rules when ‘strictly necessary’ and proportionate for a given incident.
Meanwhile, the US needs to build on the Freedom Act, says Daniel Castro, vice president of the Information Technology and Innovation Foundation (ITIF), if it wants to return to something like the status quo.
“Congress should pass the Judicial Redress Act to allow non-US citizens to bring civil actions against the United States for violating the Privacy Act,” he says. “US policymakers also should move forward on reforming the Foreign Intelligence Surveillance Act.”
But, he adds: “Europe also has to make reforms, including fully embracing the digital single market. Individual countries should not be able to set their own digital policies, including for privacy, or overrule the EU Commission, as doing so would fragment the digital economy."