US: Safe Harbour No Longer

On October 6, 2015, the European Court of Justice declared that the Safe Harbour program – a framework which allowed efficient transfer of personal data between European Union (EU) member states and the US – was invalid. Over 4,000 companies, including data giants such as Facebook, Microsoft, and Google, relied on the Safe Harbour program to conduct business in the EU.

Background

In 1998, the European Commission’s Directive on Data Protection went into effect, which prohibited transferring personal data of EU citizens to jurisdictions outside the European Economic Area that did not have “adequate” levels of data protection. To ensure that data could be transmitted from Europe to the US, the US Department of Commerce and European Commission developed the Safe Harbour program, which allowed US companies to self-certify that they adhere to seven principles and fifteen frequently asked questions outlined in the Directive, and thus have adequate levels of data protection.

Only US companies that are subject to the Federal Trade Commission (FTC) or Department of Transportation (DOT) are eligible for the Safe Harbour program. Therefore, financial institutions, telecommunication common carriers, labour associations, and non-profit organizations are generally excluded, and are subject to other data protection requirements.

 

Court of Justice of the European Union’s Decision

The European Court of Justice (ECJ), the highest court in the European Union on matters of European law, found that European Commission decision 2000/520, which approved the Safe Harbour framework, is invalid. The ECJ also found that national Data Protection Authorities have the ability to investigate whether countries outside the EU have sufficient levels of data protection, even after the European Commission has issued a decision.

Maximillian Schrems, an Austrian citizen, challenged Facebook’s transfer of his personal data from Facebook’s Irish subsidiary to the US before the Irish Data Protection Authority. He argued that because Facebook stored personal data in the US, that personal data could be accessed by the US intelligence services such as the National Security Agency (NSA), thus it was not afforded adequate protection as defined by the Directive on Data Protection.

After the Irish Data Protection Authority refused to hear the claim, Mr. Schrems brought the action to the Irish High Court. The High Court stayed the proceedings and referred the matter to the ECJ.

The ECJ found that, despite the Safe Harbour program, “United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security.” The ECJ also found that EU citizens do not have legal remedies to correct or delete their data. Therefore, the ECJ found that the Safe Habour program does not provide the level of protection of fundamental rights that are equivalent to those guaranteed by the Charter of Fundamental Rights of the European Union.

 

What Now?

The Irish Data Protection Authority is now required to examine Mr. Schrems’ complaint and determine whether transfer of the data of Facebook’s European subscribers to the United States should be suspended.

The US Department of Commerce acknowledges the ECJ’s decision, but has indicated that it will continue certifying US businesses that wish to participate in the Safe Harbour program in view of the “current rapidly changing environment”.

Companies such as Microsoft have expressed that they will continue operating as usual, arguing that their privacy and data protection policies are compliant with the Directive on Data Protection. In addition to certifying with the Safe Harbour program, some companies have put in place additional safeguards such as EU Model Clauses to govern the transfer of data outside the European Economic Area.

Canada’s data protection laws provide adequate protection as defined by the Directive on Data Protection; Canadian businesses’ operations with the EU are not affected (See Cassels Brock blog).

 

Analysis

Although protection of personal information is undeniably a laudable goal, invalidating frameworks that govern international transfer of data does not achieve that end. Without international frameworks, companies that collect, use, and transfer personal information will be pushed to store data within national borders to ensure compliance with domestic legislation. Although technically possible, this hampers the free and efficient flow of data and commerce. Citizens of every country should have easy access to the global economy and international flow of information.

International frameworks with stronger oversight and enforcement mechanisms should be enacted that create a balance between protection of personal information and the global nature of today’s economy. If courts are worried about protection of personal information, they should turn their minds to intelligence agencies or companies that misappropriate data about individuals, not frameworks that aim to protect personal information.

 

Lisa Hartman is a JD Candidate at Osgoode Hall Law School and is enrolled in Osgoode’s Intellectual Property Law Intensive Program. As part of the program requirements, students were asked to write a blog on a topic of their choice.