Will Safe Harbor survive post Snowden?
Do you know that EU data protection laws (EU data protection Directive 95/46/EC) prohibits transfers of personal data to countries deemed to lack adequate protection for personal data unless those transfers are governed by certain legal mechanisms?
The European Commission has determined that the U.S. doesn’t have adequate protections. So, in 2000 the Safe Harbor, which is one of those legal mechanisms, was negotiated between EU Commission and U.S. But reactions to the PRISM scandal put Safe Harbor under threat.
The EU-US Safe Harbor framework
Safe Harbor framework is a data transfer mechanism under which, U.S organization certify to the U.S Department of Commerce that they provide certain protections for personal data. Those protections are designed to provide privacy protection similar to those found in the European Data protection Directive. Safe Harbor permits companies to transfer personal data from the EU to the United States without violating EU data protection laws.
Safe Harbor mechanism is one of the most widely used by companies established in Europe to transfer data to the United States. Almost 4,000 organizations are Safe Harbor-certified and rely on Safe Harbor to allow transfers of personal data from the EU to the U.S. Google, Facebook, Amazon, Microsoft, … are part of those U.S Safe Harbor-certified companies.
EU doubts about the adequacy of the Safe Harbor Framework
On 2013, doubts on Safe Harbor adequacy to protect EU citizens’ personal data intensified following the PRISM scandal (the U.S government’s surveillance program).
In fact, the U.S National Security Agency surveillance authorize the U.S government agencies to access data on foreigners that was transferred (under the Safe Harbor agreement) to online service provider in the US. That is a serious violation of the Safe Harbor agreement.
Thereby, U.S organization are not able to guarantee that the protection of EU citizens’ personal data – which is a fundamental right under EU law – can be maintained. In fact, they cannot deal with a national security letter or a court order.
Following that concern, European Commission Vice-President Viviane Reding observed on 2013 that the Safe Harbor « may not be safe after all » and that « it allows data transfers from EU to US companies- although US data protection standards are lower than our Europeans one »
Since, the European Commission made 13 recommendations to improve the Safe Harbor scheme and the European Parliament made multiple calls to suspend the Safe Harbor agreement as they noted that some companies involved in the NSA’s PRISM surveillance program are certified under Safe Harbor.
Safe harbor under pressure: Maximillian Schrems v Data Protection Commissioner
Recently, on March 2015, the European Court of Justice heard arguments about a case referred by the Irish High Court on the NSA/PRISM spy scandal (case C-362/14). It may have major effects for the Safe Harbor Framework.
An Austrian law student and user of Facebook, Maximillian Schrems, complained about the transfer of his personal data by Facebook Ireland to the U.S. He says that the protection of personal data transferred by the company to the U.S cannot be guaranteed in the light of the Snowden revelations.
During the investigation, the European Commission admitted, when asked about the adequacy of the Safe Harbor agreement, which it could not ensure that the Safe Harbor regime still offers an « adequate level of protection »
This European Commission admission calls into question the Safe Harbor agreement. The European Court of Justice Advocate General said he would give his final opinion on June 24.