Menu
No need to panic: European Commission upbeat about Safe Harbour ruling

No need to panic: European Commission upbeat about Safe Harbour ruling

It's not quite business as usual, but there are plenty of ways for companies to carry on sending data from Europe to the U.S. legally

"Aside from taking an ax to the undersea fiber optic cables connecting Europe to the United States, it is hard to imagine a more disruptive action to trans-Atlantic digital commerce."

That was the measured reaction of the Washington think tank the Information Technology and Innovation Foundation to the news that the Court of Justice of the European Union had torn up the Safe Harbour privacy protection agreement on the transfer of personal data from the EU to the U.S.

But the European Commission seemed unperturbed by the abrupt end of the agreement it struck with the U.S. government in July 2000 to ensure that the personal data of Europeans was granted the same legal protections in the U.S. as it was in the EU.

Commission members Frans Timmermans and Věra Jourová took time out from discussing the ongoing refugee crisis in Europe to tell citizens that their main priority is protecting personal data transferred across the Atlantic, and to reassure businesses that their other main priority is continuing the flow of data -- with appropriate safeguards. Timmermans said the court's ruling is "an important step towards upholding Europeans' fundamental rights to data protection" while Jourová said it gave the Commission a better potential for continuing negotiations on a "safer Safe Harbor" agreement with U.S. authorities.

The two dismissed suggestions that the ending of Safe Harbor would bring an abrupt halt to the trans-Atlantic transfer of personal data, pointing out that European legislation also provides for a number of other ways of guaranteeing the privacy of such data.

Edward Snowden's revelations in 2013 of the extent to which U.S. intelligence services were able to access personal information held by companies such as Google and Facebook led the Commission to identify the shortcomings of Safe Harbor and to begin renegotiating the agreement with U.S. authorities, Jourová said.

That same year, a young Austrian law student, Max Schrems, filed a complaint with the Irish Data Protection Commissioner about the way his personal data was being handled by the Dublin-based Facebook Ireland. The DPC promptly rejected Schrems's complaint, saying Facebook's transfer of his data to the U.S. complied with the Safe Harbor rules. Schrems sought a judicial review of the decision from the Irish high court, which in turn asked the CJEU to rule whether the DPC was right to defer to the Commission's Safe Harbor agreement or whether it should have investigated the complaint.

On Tuesday the CJEU told the Irish DPC it had a duty to investigate. Then it went much further, deciding that the Safe Harbor agreement was invalid anyway as it only bound companies, not U.S. intelligence and law enforcement agencies, to comply.

That decision will reinforce the Commission's position in its negotiations with U.S. authorities on the new Safe Harbor agreement: Its hands are now tied by the court's ruling, which limits the concessions it can make.

There's no telling how long it will take to conclude negotiations, Jourová warned: "I wanted to finalize them before the summer, but I found we needed more time for the national security items."

Meanwhile, the Commission has two strategies for reducing the legal uncertainty created by the death of safe harbor.

The first strategy is to encourage companies to switch to one of the other methods of protecting data transfers that are provided for in existing law. These, Jourová said, include the use of standard data protection clauses in contracts between companies or binding corporate rules within a corporate group.

Data can also be transferred on the basis of performance of a contract, she said, giving the example of a hotel booking that can only be completed if the data is sent to the hotel, or if it is in the vital interests of the data subject -- for instance, transmitting their medical records in a life-or-death situation.

In the absence of other grounds for transfer, data can still be sent out of the EU with the free and informed consent of the individual, she said. Expect a flurry of revisions to privacy policies in the coming weeks.

With the court giving national data protection authorities carte blanche to conduct their own investigations into privacy policies, the Commission's other strategy for reducing uncertainty is to ensure they all follow the same rules.

"We will come up with clear guidance for DPAs on how to deal with the transfer of data to the U.S. in the light of the ruling," Timmermans said. "As businesses need legal certainty, the guidance should help avoid a patchwork of conflicting decisions by DPAs."

Privacy regulators are evidently thinking along the same lines: The Article 29 Working Party, the umbrella organization for the EU's national privacy regulators, said Tuesday that it will meet shortly to provide a coordinated analysis of the court's decision.

It's a busy time for Brussels privacy experts: The Commission has two other major privacy projects on the go, both of which Jourová is confident can be completed by year's end.

One is the so-called umbrella agreement with U.S. authorities, governing the access law enforcers have to personal data and providing European citizens with the same right to legal redress if their privacy is violated as U.S. citizens would enjoy in Europe.

The other is to bring the EU's existing data protection law up to date. The current rules were set by the 1995 Data Protection Directive, before companies such as Facebook or Google existed. In 2012 the Commission proposed a regulation further harmonizing privacy laws across the EU while giving more power to national regulators, and is now close to agreement with the EU's other lawmaking bodies, the Council and the Parliament, on a final text.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

New Zealanders kick-started EDGE 2018 with a bout of Super Rugby before a dedicated New Zealand session, in front of more than 50 partners, vendors and distributors on Hamilton Island.​

EDGE 2018: Kiwis kick back with Super Rugby before NZ session
EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018 kicked off with a dedicated New Zealand track, highlighting the key customer priorities across the local market, in association with Dell EMC. Delivered through EDGE Research - leveraging Kiwi data through Tech Research Asia - more than 50 partners, vendors and distributors combined during an interactive session to assess the changing spending patterns of the end-user and the subsequent impact to the channel.

EDGE 2018: Kiwis assess key customer priorities through NZ research
Show Comments