The European Court of Justice (ECJ) decided today (6 October) that Safe Harbour is not so safe after all - despite the European Commission's finding 15 years ago that Safe Harbour provided an adequate means of protecting personal data for transfers to the US.
Today's ECJ case was prompted originally by a complaint made by Maximilian Schrems to the Irish data protection regulator about Facebook's transfers of personal data to the US under their Safe Harbour certification. In particular the Snowden revelations of 'back door' access to data held by large IT and social media providers under the US PRISM programme led to Mr Schrems' growing concern.
Mr Schrems maintained that US government surveillance meant that information was making its way into the hands of the US government and, once in their hands, the Safe Harbour principles no longer applied. His argument was that the fundamental right to privacy and rights relating to respect for personal information (such as fairness of processing, right to access, rectification or deletion) were by-passed once information had been seized by a body that had not voluntarily agreed to comply with data protection principles aligned to those in Europe. The case made its way up to the ECJ (via the Irish regulator and the High Court) for a decision on the validity of Safe Harbour.
The question referred from the High Court up to the ECJ boiled down to this: Must a national data protection regulator automatically assume that Safe Harbour is adequate, because the European Commission decided 15 years ago that it is? Alternatively is the regulator free to make up its own mind on the adequacy of Safe Harbour in light of developments since then and the facts of each transfer?
It became more evident that a storm was brewing when on 23 September 2015 Advocate General Bot issued a damning opinion on Safe Harbour. In short, his view was that Safe Harbour has some serious weaknesses in light of large-scale US government covert information gathering and that Safe Harbour (despite what the European Commission thought some 15 years ago) is not fit for the purpose to protect personal data transferred to the US under the scheme.
He pointed out that when the European Commission reviewed Safe Harbour, they looked at the scheme itself but failed to look at the scheme within the wider setting of laws within the US that could essentially override the scheme. The European Commission will not be surprised by this criticism - they have been reviewing Safe Harbour and its shortcomings (including US government access to data, as well as other troubles such as insincere and incorrect Safe Harbour self-certifications and lack of enforcement against transgressors).
See our previous article on the European Commission's proposed 13 point plan for shoring up Safe Harbour (on which good progress has been reported but negotiations remain ongoing on a few key issues such as the very issue that was debated in the Schrems case on privacy rights of individuals).
AG Bot also added that the regulator might not only decide in a particular case that protection was not adequate but that it was also within their power to suspend the particular data transfer complained of.
He went on to comment on the wider issue of validity of the European Commission's original decision on Safe Harbour. Mr Schrems had pointed out that the mass-government surveillance in the US was indicative of a lack of protection of individuals' privacy rights. AG Bot was sympathetic on the basis of the practice of mass-surveillance and wide rights of access (extending beyond what is required for very specific purposes such as national security) by the US combined with the lack of effective judicial protection for individuals once that data is in the hands of the US government. His view was that the Safe Harbour scheme should be found invalid.
The ECJ agreed with AG Bot. Notably their judgment states: "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life" - which reflects the core of Mr Schrems' argument. The original Safe Harbour decision was also criticised for the wide derogations that it permitted - where US national security, law enforcement and public interest override the principles.
What does this mean for existing Safe Harbour certifications?
Facebook has the most immediate problem - having had their powers clarified, the Irish regulator may now decide to examine the Safe Harbour data transfers to Facebook in the US. In light of the ECJ judgment, the Irish regulator may choose to suspend transfers to Facebook in the US.
It may now be the case that other individuals (or conceivably even organisations looking to cause trouble for their competitors) will now raise challenges with national data protection regulators over specific Safe Harbour data transfers. The local regulators would then have to consider adequacy of protection in the relevant country of destination and ultimately may suspend the transfers.
Organisations relying on Safe Harbour transfers where they have not been targeted by the US government for data access should have less to worry about although there may be other grounds to challenge protection (for example whether the organisation follows correct processes).
What does this mean for the future of Safe Harbour?
Given the significant ramifications of this decision for many businesses, the European Commission may well 'reactivate' Safe Harbour once it has come to a satisfactory resolution with the US government on the 13 Safe Harbour principles to shore up the weaknesses of Safe Harbour.
In the meantime, it would be unwise to rely solely on Safe Harbour certifications and the most viable alternative will be to put in place European Commission approved model contracts for intra-group personal data transfers as well as transfers to US-based third party providers. This is an administrative burden but it is not the end of the world.
Even if Safe Harbour does come back 'online', Safe Harbour will never be a total guarantee that personal data transfers are adequately protected. It will likely remain a 'self-certification' scheme with problems of certifying organisations not doing what they say they are going to do.
In light of the proposed Data Protection Regulation, organisations in Europe (and beyond) will be facing a much more onerous data protection requirements combined with eye-watering consequences of not complying. This will mean a much more diligent regime for compliance will need to be put in place for data transfers. For example, organisations should consider applying for Binding Corporate Rules as a means of globally transferring personal data. Although Binding Corporate Rules will require a more rigorous investigation by regulators of an organisation's data protection practices, they are a more flexible tool than model contracts for organisations with global presence. We shall see whether more multinationals go down this route.