The First Victory in Europe v. Facebook Case: "Safe Harbor" Does Not Ensure Safety of Europeans' Personal Data
Posted by: raminta 9 years, 3 months ago
Do you remember the fight between the young Austrian lawyer Max Schrems and Facebook? Several days ago M. Schrems's achieved his first victory: the European Court of Justice (ECJ) has ruled that the US does not ensure sufficient protection of Europeans' personal data, therefore the "Safe Harbor" agreement, which has simplified data transfers to the US companies, was invalidated.
Why M. Schrems has been complaining about the "Safe Harbor"?
Article 25 of the European Data Protection Directive states that Europeans' personal data may be transferred to a third country (e.g. US, Canada, Switzerland, etc.) only if the third country in question ensures an adequate level of the protection of these data. Aiming to create more flexible rules for the US companies, which collect and process Europeans' personal data, the European Commission has adopted the decision on the "Safe Harbor" agreement in 2000. This agreement allowed US companies to collect, transfer and process Europeans' personal data only if they voluntarily certified themselves and informed the US Department of Commerce. More than 4,000 US companies (including Google, Yahoo, Facebook, and Twitter) have used such opportunity; this mechanism allowed Facebook, for example, to transfer personal users' data from Dublin's office to the US in order to store them.
In 2013 Edward Snowden disclosed secret information about US surveillance, and this has risen many doubts about the protection of transferred Europeans' personal data. It turned out that all US companies, which participated in the PRISM program, have been using "Safe Harbor" certificates. In this way the "Safe Harbor" has become an information channel, through which US surveillance authorities accessed Europeans' personal data.
In response to this, last year the European Commission drafted 13 recommendations to the US asking for the review of the "Safe Harbor". Unfortunately, negotiations on this matter took quite a long time and a final agreement has not been achieved because of differing attitudes towards the protection of privacy and personal data. It's worth noting that, among these recommendations, the European Commission has included:
- that the national security exception should be used only to an extent that is strictly necessary or proportionate;
- that US companies should inform users on the extent to which the US law allows public authorities to collect and process data transferred under the "Safe Harbor".
M. Schrems did not wait until the end of these negotiations: he turned to the Irish Data Protection Commissioner asking to evaluate whether Facebook had transferred Europeans' personal data to the NSA legally or not. The Commissioner has refused to investigate the complaint, stating that such data transfer is regulated under the "Safe Harbor" agreement and its evaluation is not among his competencies. M. Schrems could not agree on that and approached the Irish High Court, which then asked the ECJ to adopt a preliminary ruling in this case.
What has been decided by the ECJ?
The ECJ in the ruling has resolved the following questions posed by the Irish High Court:
- if a national data protection authority (DPA) has the power to investigate a complaint addressing the fact that a third country does not ensure an adequate level of protection provided by the European Commission decision;
- if the "Safe Harbor" agreement is valid.
The ECJ has explained that, even if the European Commission has adopted a decision, the DPAs must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the Directive. Nevertheless, only the ECJ has jurisdiction to declare that an EU act is invalid. Consequently, when a national authority (or the person who has brought the matter before the national authority) considers a European Commission decision to be invalid, that authority or person must be able to bring proceedings before the national courts, so that they may refer the case to the ECJ.
On the second issue the ECJ noted that personal data may be transferred to a third country which ensures an adequate level of protection, meaning that a third country's domestic law or its international commitments ensure a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed by the Directive and by the EU Charter of Fundamental Rights. Therefore, when examining the level of protection afforded by a third country, the European Commission is obliged to assess the content of domestic law or international commitments and the practice designed to ensure compliance with those rules; it also has to periodically check if the level of protection is sufficient even after the adoption of a decision.
The ECJ has expressed concerns that the principles set on the "Safe Harbor" agreement are mandatory solely to the self-certified US companies, while the US public authorities are not subject to it. The "Safe Harbor" does not identify measures by which the US ensure the adequate level of the protection of personal data. Moreover, in case of a contradiction between the "Safe Harbor" rules and the US domestic law, national security, public interest, or law enforcement requirements or simply the US law has primacy over the "Safe Harbor". The "Safe Harbor" does not define cases in which US public authorities (e.g. NSA) can access Europeans' personal data for national security or law enforcement purposes. The "Safe Harbor" is also silent about legal remedies, which should be available to Europeans in order to have access to their personal data, or to obtain the rectification or erasure of such data, or to appeal to the tribunal.
According to the ECJ, the European Commission found out in 2013 that the US authorities were able to access the personal data transferred from the Member States to the US and to process it in an incompatible way, i.e. beyond what was strictly necessary and proportionate to the protection of national security. The fact that the US public authorities had almost unlimited access to Europeans' electronic communications, while the Europeans did not have any legal remedies to oppose that, violates two fundamental rights: the right to respect for private life and the right to effective judicial protection. Consequently, the "Safe Harbor" agreement was recognized to be invalid.
What are the consequences?
As the "Safe Harbor" agreement is invalid since 6 October, 2015, US companies are obliged to find other legal mechanisms allowing to transfer personal data from the EU to the US. They can choose to set up binding corporate rules, which should be approved by the DPAs, or they can put model contracts with standard contractual clauses in place, but even in this case approval by the DPAs is requested in several EU member states. Certainly such procedures will burden the US companies significantly as still 28 EU member states are applying different data protection rules; as a result, some US companies may consider to move their data centres from the US and store Europeans' personal data in the EU.
In the meanwhile the European Commission welcomed the ECJ ruling, stating that it has explained essential provisions for the Europeans' data protection. The Commission also stressed that it is important to ensure not only the protection of the Europeans' personal data, but also to prompt data flows between the EU and the US. For this reason the European Commission, in cooperation with the EU DPAs, is going to set guidelines implementing the ECJ ruling shortly. It is clear that the implementation will significantly increase the level of bureaucracy and the workload of the DPAs while many of them are not well prepared yet.
It is probable that the ECJ ruling will affect negotiations on the new "Safe Harbor" agreement, which may be pushed forward. Nevertheless, the ruling has not ended the legal litigation between M. Schrems and Facebook: the Irish High Court, bound by the ECJ ruling, will have to evaluate M. Schrems's claim. Most probably the Irish Data Protection Commissioner will be obliged by the court to decide whether Facebook has been transferring Europeans' personal data to the US legally. In spite of this, M. Schrems was very happy about the ECJ ruling and stated that it "will hopefully be a milestone when it comes to online privacy". He also said that according to the ruling "governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it".
This article has been published in cooperation with the Human Rights Monitoring Institute, a Lithuanian NGO defending human rights.
Image courtesy of Greenfesa, Flickr.com
Share on Twitter Share on Facebook
Recent Posts
- 10 svarbiausių įvykių asmens duomenų apsaugos srityje 2016 metais
- Transatlantinis asmens duomenų perdavimas: kaip mus apsaugos Privatumo skydas?
- Kibernetinės atakos: kaip bandome jas suvaldyti?
- Slapukai ir reklama internete: ar įmanoma tai suvaldyti?
- Elektroninės komunikacijos šifravimas: būtinybė ar grėsmė?
Archive
2017
- January (4)
2016
2015
Categories
- English (10)
- Facebook (5)
- Google (1)
- Internet (12)
- Internet of things (4)
- Lithuanian (21)
- TV (1)
- censorship (7)
- cookies (3)
- cybersecurity (4)
- electronic communications (11)
- encryption (3)
- freedom of expression (7)
- media (4)
- privacy protection (23)
- propaganda (1)
- right to be forgotten (2)
- social media (5)
- surveillance (11)
Authors
- raminta (31)
Comments
There are currently no comments
New Comment