EU organizations are not allowed to transfer personal data to countries outside the EU unless they guarantee adequate levels of protection. Safe Harbor provided a mechanism companies to transfer personal data from the EU to the USA.
The European Commission published a decision in 2000 that set up Safe Harbor. Thousands of companies, including the internet giants Google, Facebook, Apple and Amazon, took part.
The Framework relied on US companies "self-certifying" that they complied with the data protection standards required.
The Court of Justice of the European Union (CJEU) ruled that the Safe Harbor Decision on data transfers to the US was invalid in a judgment dated 6 October 2015.
It also ruled that any future Safe Harbor Agreement 2.0 would not provide blanket immunity for any data transfers. National supervisory authorities are entitled to examine independently whether the transfer of a person's data to non-EU state complies with EU law.
Max Schrems is a Austrian privacy activist. He's campaigned against Facebook in particular due to alleged privacy violations.
In 2014, he filed a complaint to the Irish Data Protection Commissioner in respect of Facebook. When the Data Protection Commissioner rejected the complaint, he applied to the Irish High Court for judicial review. The High Court made a preliminary reference to the CJEU, resulting in the latter's ruling striking down the Safe Harbor Framework.
Edward Snowden is an American whistleblower who leaked documents detailing global surveillance programs run by the NSA.
In the case brought by Max Schrems, the Irish High Court stated, "the Snowden revelations demonstrate a massive overreach on the part of the security authorities, with an almost studied indifference to the privacy interests of ordinary citizens. Their data protection rights have been seriously compromised by mass and largely unsupervised surveillance programmes".
The prevailing opinion is that this surveillance is in violation of rights under Article 7 and Article 8 of the Charter of Fundamental Rights. EU citizens have no way of challenging these violations of their privacy in a court of law.
The Data Protection Authority in Schleswig-Holstein recently gave an opinion that the transfer of personal data to the USA is not possible under any legal framework whatsoever until the USA ceases indiscriminate mass surveillance.
Directive 95/46/EC requires the Member States to transpose legislation that regulates the processing of personal data, including the transfer of personal data outside of the EU.
In addition, Articles 7 and 8 of the Charter of Fundamental Rights grants EU Citizens privacy and data protection rights. EU organization must meet stringent data protection standards and face investigation by national data protection authorities in the event of infringements.
Google and Facebook have stated that they are not affected by the Safe Harbor ruling because they have alternative arrangements in place such as model clauses or binding corporate agreements. Here's what the data consultants at Castlebridge Associates said about alternatives to Safe Harbor:
But, in reality, Model Clauses to cover transfers to the United States are, on foot of today's CJEU ruling, as useful as a Chocolate Teapot... perfectly fine until the heat comes. (Note: Binding Corporate Rules and others are in the same boat!)
The EU-U.S. Privacy Shield is designed to replace the now-defunct Safe Harbor Framework. In summary it provides the following:
The EU-U.S. Privacy Shield provides that companies must reply to complaints from individuals within 45 days. Provision is also made for free-of-charge Alternative Dispute Resolution. Finally, as a last resort, there will be an arbitration mechanism to ensure an enforceable decision.
The U.S. will provide written assurances that any access of public authorities to public data will be subject to clear limitations, safeguards and oversight mechanisms. The U.S. Authorities will affirm that indiscriminate or mass surveillance will not take place
There will be an annual joint review mechanism for monitoring the functioning of the Privacy Shield and the U.S. commitments, including as regards access to data for law enforcement and national security purposes.
I have an incredible feeling of de ja vu. And a suspicion we'll be back at the drawing board before long. The text I've seen, while progress to an extent, doesn't appear to address key issues and will inevitably be challenged by an DP authority, an EU citizen, or the Parliament.
Even if Privacy Shield was bulletproof, it still doesn't apply to data processors outside of the FTC's remit. And as the Privacy Shield text was negotiated against the Directive instead of the Regulation that is replacing it, we will inevitably wind up faced with a renegotiation within the next 2 years or so. The ultimate fix lies not with the EU but on the US side. Legislative reform is inevitable to avoid repeating cycles of uncertainty.
The WP29 notes the major improvements the Privacy Shield offers compared to the invalidated Safe Harbour decision.
Given the concerns expressed and the clarifications asked, the WP29 urges the Commission to resolve these concerns, identify appropriate solutions and provide the requested clarifications in order to improve the draft adequacy decision and ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU.
Organizations across the EU need to be able to take advantage of the benefits of software as a service and cloud computing in order to stay competitive in the global economy. That's why we've put together a list of EU-based companies that will only host your data in Europe.