A two-part series on the Safe Harbor and the “Privacy Shield” agreement struck by US-European Union negotiators on data protection.
On October 6 2015, the Court of Justice of the European Union sent shockwaves through the transatlantic digital economy, invalidating the Safe Harbor Agreement between the European Union and the United States. The agreement made it possible to transfer data of EU citizens to the United States. Over 5500 US companies, ranging from global tech companies such as Google, Facebook or Microsoft to e-commerce businesses and small startups, use the Safe Harbor agreement to do business in the EU. The invalidation of the agreement by the European Court meant that the basis of their business –- the free flow of data between the EU and the US –- was called into question.
People outside the EU may wonder why a special agreement between the US and the EU is needed for what is the basis of Internet-related businesses in the global economy: the free flow of data across borders. The reason is that in the EU data protection is considered a fundamental right. In the EU data protection is much more than a regulatory framework for the collection, processing and dissemination of personal data: data protection is seen as crucial to guaranteeing EU citizens’ their fundamental rights.
How can the EU protect the fundamental rights of its citizens when their data is transferred to other countries? The Safe Harbor framework is supposed to address this question. Since the legal frameworks and enforcement mechanisms for data protection vary across countries, the EU has developed the “adequacy” requirement. The Parliament and the Council have authorised the Commission to determine whether a “third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into.” In 2000 the Commission determined that companies based in the US could provide an adequate level of protection under the Safe Harbor Agreement. According to this arrangement companies could self-certify their participation with the Safe Harbor program at the Federal Trade Commission (FTC) of the US Department of Commerce. The FTC was responsible for ensuring the compliance of participating US companies with the agreement.
The Safe Harbor program served as one of the most important instruments for transatlantic data transfers from the EU to the US for more than a decade. There have long been discussions whether the program needed to be strengthened as critics claimed that it failed to ensure the enforcement of adequate data protection standards. But the Snowden revelations added a new dimension into the discussion on transatlantic data transfer. The reports about NSA surveillance programs put the question of government access to data into the spotlight. Europeans became increasingly concerned about the possibilities of US security agencies gaining access to the data transferred to the US under the program. Focusing on US intelligence agencies’ potential access to his data, Max Schrems, a privacy activist from Austria, launched a campaign challenging Facebook’s practice to transfer his personal data to the US under the Safe Harbor agreement. The outcome of his campaign put a dark cloud over the transatlantic digital economy when the Court of Justice of the European Union ruled the adequacy decision by the European Commission based on the Safe Harbor Agreement invalid a few months ago.
The main reason for the court to invalidate the arrangement was the adequacy determination by the EU Commission. While the court itself did not rule on the question whether the US actually provides an adequate level of protection, it laid down a few principles that have to be met in order to make such a determination. The court explicitly criticized that the Safe Harbor framework did not include any limitations for access to data for national security or public interest purposes. The court argued that such an interference with fundamental rights has to be limited to what is “strictly necessary and proportionate to the protection of national security.” The court also emphasized the provision of legal remedies for an individual in order to have “access to personal data relating to him, or to obtain the rectification or erasure of such data.” Commentators quickly pointed out that the court set a very high bar for the negotiation of new agreement for transferring data from the EU to the US. The fact that many European member states themselves currently do not meet the standards set by the court has also been noted. This puts the EU Commission in a difficult position. While the Commission has no jurisdiction over matters of national security in the member states, its authority to enter into commercial treaties with other states is still bound by the EU charter of fundamental rights. And as the court made very clear, the interference of public and national security agencies with fundamental rights cannot be ignored in an agreement over data transfer between the EU and a third country.
Since October the EU Commission and the US government have been struggling to negotiate a new agreement. The EU Commission has the tough challenge to strike a deal that includes enough new safeguards that they will satisfy the Court of Justice of the EU. The US is reluctant to make any further concessions beyond the reforms that have been enacted in the past two years. And both sides feel strong pressure from the commercial sector. Companies are increasingly frustrated by the uncertainty regarding the legal basis for transatlantic data transfers that the invalidation of the Safe Harbor agreement caused.
Stefan Heumann is director of the “European Digital Agenda” program at stiftung neue verantwortung, a Berlin based think tank with a focus on technology and public policy
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
PREV
