Data Protection: US Safe Harbor Rule No Longer Safe 

With special thanks to Robert Onslow of 8 New Square, for this article.

The revelations of Edward Snowden in 2013 – to the effect that the US authorities’ surveillance of electronic communications in the US was wider than some had previously thought – continue to create aftershocks throughout the global political world and more recently, as illustrated in a judgment of the Court of Justice of the European Union (CJEU) earlier this month, in the global commercial world.

The CJEU judgment is Schrems v the Irish Data Protection Commissioner. Mr Schrems is a Facebook user. He complained to the Irish Data Protection Commissioner that his personal data in his Facebook account was liable to be made available by Facebook to the US government without his consent.

Before the Snowden revelations, his complaint would not have succeeded. In 2000, the EU  Commission had satisfied itself that a self-certification scheme adhered to by Facebook, Google, Apple etc. – and known in the jargon as “Safe Harbor” – provided an adequate guarantee to the likes of Mr Schrems as to the security of his personal data on Facebook severs. The self-certification scheme only allowed the information to be divulged by Facebook to the US government essentially for national security purposes.

Mr Schrems successfully argued before the CJEU that, after the Snowden revelations, it was apparent that the US authorities had overstepped the mark, and that they had required to see more personal data, including the personal data of EU citizens, than was necessary for national security purposes. Accordingly he argued that the self-certification scheme was not being adhered to.

The CJEU agreed. The effect of the judgment is that Safe Harbor self-certification scheme has collapsed, essentially because a court with primarily economic jurisdiction, the CJEU, disagrees with the US security services as to what information is necessary to examine for US national security purposes.

Nor are the tremors of the Snowden earthquake coming to an end any time soon. In 1995, the EU, in a move in which it set its face against the inevitable delocalising forces of the internet, adopted the principle in legislation that EU personal data should only be processed in the EU. The Safe Harbor scheme was only one of three foundations which were subsequently constructed to allow a limited concession to the realities of the emerging internet. The other two foundations currently remain standing, albeit now having the appearance of a condemned building, since they are as susceptible to precisely the same complaints made by Mr Schrems against the Safe Harbor rule. These are: (a) standard form express agreements, enforceable by a Court, which secures the personal data in the hands of the US hosting company; and (b) binding corporate rules, in which e.g. an EU subsidiary can legally control a US parent to the extent necessary to protect personal data acquired by the subsidiary and processed by the parent.

At a high level, the Schrems judgment has re-opened long standing historical debates concerning the duties of the state to protect its own by spycraft – debates which have a long and noble history at least since the classical era and which, reopened in the age of information, will I hope inform the diplomats as they attempt to renegotiate the position following the Schrems decision. While the power of the diplomatic fudge should never be underestimated, the challenge to the EU team is acute: their brief would appear to be to persuade the US to allow for an increased physical threat to US citizens, in order to protect the mere sensibilities of EU citizens.

On a more prosaic level, we might reasonably expect some US internet corporates and their customers to face down a series of adverse EU enforcement decisions, and for some others, less bullish perhaps, rapidly to ramp up spend on EU based server farms.

Meanwhile the customer, the European companies who rely on processing information to fuel their businesses, and most of whom transfer some form of personal data to the US whether they know it or not, stand helplessly in the crossfire as the global institutions fight it out for the moral high ground. The advice to them at this stage can only be to keep up to date with what is a rapidly unfolding situation.  JSC MOTIF plum

You Might Also Like