Being French, I was very saddened by the events which occurred in Paris last month. It puts the unanswered question of where the line between necessary mass surveillance and privacy lies back on the table again.
This conversation was brought up after the Snowden revelations. Besides raising the questions of mass, possibly unjustified, surveillance it has also re-sparked the debate of national security vs. individual privacy.
Taking a step back in time to 2000, the Safe Harbor Principles were agreed upon between the US and the EU. They enabled US companies to comply with privacy laws protecting European Union and Swiss citizens and by extension, allowing a safer flow of data between the two sides of the Atlantic. Those principles were based on the EU data protection directive enacted in 1995. The concept was that companies would self-certify that they could guarantee adequate protection to EU citizens. However, through the years, criticism of the robustness of Safe Harbor has been raised.
Max Schrems is an Austrian Facebook user who was disturbed by Edward Snowden’s revelations about mass surveillance by US intelligence agencies. Since he believed that transfers of his data to Facebook USA were subject to such mass surveillance, he complained to the Irish Data Protection Authority (DPA), which regulates Facebook’s transfers of personal data from the EU to the USA. He also requested the DPA to investigate whether Facebook could validly transfer EU citizens’ data under safe harbor.
The case was dismissed without investigation by the Irish DPA. Schrems then went up to the Irish High Court who referred the case to the European Court of Justice (ECJ). The ECJ ruled that indeed, Safe Harbor was not a valid way of transfer. The judgment did not actually focus on the vehicle (i.e. mean of transfer) for data transfer, but on the assurance of following the Safe Harbor Principles, and therefore provide adequate protection, that the US could make.
Following this judgment, most privacy advocates are also claiming that consequently, this could mean that all current vehicles (BCR, Model Clauses, Inter Company Agreements, etc.) have also been rendered invalid.
If the issue is not the vehicle but the proportionality of surveillance, would not an intergovernmental agreement be necessary? What would be the right venue and/or the right vehicle? These questions have not been answered yet.
For more on the background to the Schrems case, see here.
The root of the problem comes from the fact that it is not the data protection regulation which will have authority to rule over the global surveillance question. Although the data protection principles should be taken into account, this is only a small piece of a much bigger conversation. Currently the negotiations around Safe Harbor 2 are taking place, but there are complex questions to answer. Some of which appear to actually be beyond the reach of what the negotiators can take a stand on.
What should you do as a company? You are not going to shut down your businesses and wait for Safe Harbor 2 to come to life. So what is the right vehicle today to provide an adequate protection to EU citizens’ personal data in the US?
The good news is that in the short term, it is unlikely that action from the FTC nor from local DPAs in the EU will be taken against companies under Safe Harbor. Initially, companies will be given time to get their act together. In the mid- term, local DPA will start sending letters to a handful of companies, in all likelihood, mostly being service providers and operators, asking to find out which mechanisms they are using to legitimate the transfer. However, what the Schrems case brought to light was that the threat of enforcement does not come only from DPAs but also from individuals taking cases to court and ultimately, to ECJ.
So what is the current risk for companies? Who is going to pursue you and where?
Companies must think about the areas they relied on Safe Harbor and for which type of data (Employee data? Customer data? …) Are the transfers actually necessary? What is your strategy around risk management? There is no one-fits-all way of dealing with the aftermath of the ECJ decision. Companies must think about what makes sense in correlation with their strategy.
Agathe Caffier, Senior Counsel, International Operations and Privacy Specialist
Want to discuss your company’s privacy challenges? Reach out to me directly at firstname.lastname@example.org.