On October 6, the European Court of Justice nullified the international data transfer protocol called “Safe Harbor,” which had been in place since 2000. Safe Harbor has been use by almost 5000 companies to transfer information about EU residents to servers in the United States without breaking the more stringent EU data-protection laws, but all of that has changed now. This new ruling came about because of a lawsuit filed by an Austrian law student, Max Schrems, in light of the aftermath of the Edward Snowdon revelations about global NSA surveillance.
The United States government reserves the right to access data on servers that are owned by U.S. domiciled companies anywhere in the world. European Union laws provide that the transfer of data to a third country can only take place if the third country in question can provide an adequate level of data protection. Given what was revealed in the Snowdon leaks about mass, U.S. government surveillance, in his lawsuit Schrems pointed out that the U.S. does not provide an adequate level of data security and the EU Court of Justice (CJEU) ruled Safe Harbor to be invalid.
In an interview on the BBC World News service, Nuala O’Connor, from the Center for Democracy & Technology, reported that the E.U. Court has sent a strong message that a ubiquitous surveillance society by governments will not be tolerated by individuals wherever in the world we live. Ms. O’Connor also mentioned that smaller to medium sized-businesses might be scrambling to comply with European laws data privacy laws.
With regard to the impending release of “Safe Harbor 2.0,” O’Connor said that her organization is calling on governments around the world to:
- Curtail mass surveillance and instead employ targeted surveillance campaign to suspected criminals
- Enact omnibus federal laws that limit the intrusion of the government on our daily lives
- Put in place strong protections now to defend individual privacy in the wake of smart phone, smart home and smart car technologies that collect data about every aspect of our lives.
The Advocate General and the EU Commission are in the process of working out a new data transfer agreement with the U.S. Details about the agreement have not yet been announced.
How the U.S. is responding
U.S. Federal Trade Commissioner Julie Brill spoke at the Amsterdam Privacy Conference on October 23, 2015, saying:
“In the United States, we are engaged in a robust conversation about these issues. I believe Europeans should engage in this discussion as well, and examine their Member States’ own law enforcement and intelligence data collection practices with the same openness and recognition of the potential impact the practices may have on consumers’ and citizens’ privacy. The ECJ’s decision suggests that the United States and Europe should have an honest dialogue about the ‘essential equivalence’ of all of these data practices within companies, as well as within our law enforcement and national security agencies.”
For the moment, until the United States and European Union formalize a replacement, there is no legal Safe Harbor replacement. Standard Contractual Clauses and Binding Corporate Rules can still be used, but any transfers that take place under the old Safe Harbor decision are considered to be unlawful, and EU data protection authorities will be taking coordinated enforcement actions.