Since Edward Snowden made his revelations in 2013, Europeans have become increasingly suspicious of United States intelligence services spying on their personal data (see http://www.spiegel.de/international/germany/nsa-spying-fallout-majority-of-germans-mistrust-united-states-a-932492.html ). This was highlighted this week in the Court of Justice of the European Union, when the Advocate General gave his Opinion in the Maximillian Schrems v Data Protection Commissioner case.
Maximillian Schrems is an Austrian law student who has been using Facebook since 2008. Facebook is allowed to transfer some or all of this data from its Irish subsidiary to servers located in the United States, where it is kept. Maximillian Schrems lodged a complaint with the Irish data protection authority (the Data Protection Commissioner) believing that the law and practices of the United States offer no real protection against surveillance by the United States for data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 20002 the Commission considered that, under the ‘safe harbor’ scheme, the United States ensures an adequate level of protection of the personal data transferred.
The ‘safe harbor‘ framework is a voluntary framework which American organisations who process personal data from the European Union can sign up to. It was designed ‘to bridge the differences between’ the differing ‘approaches to privacy and provide a streamlined means for U.S. organizations’ to comply with the European Commission’s Directive on Data Protection. The effectiveness of ‘safe harbor’ has been called into question, especially considering it gives no guarantees for preventing mass and generalised access to the transferred data. Companies also have to self-certify annually to take part in the scheme.
Two key sections that are immediately apparent from the advocate general’s opinion are:
The Advocate General considers furthermore that the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal dat.,
The Advocate General considers that, in those circumstances, a third country cannot in any event be regarded as ensuring an adequate level of protection, and this is all the more so since the safe harbour scheme as defined in the Commission decision does not contain any appropriate guarantees for preventing mass and generalised access to the transferred data. Indeed, no independent authority is able to monitor, in the United States, breaches of the principles for the protection of personal data committed by public actors, such as the United States security agencies, in respect of citizens of the EU.
Indeed in summing up the Advocate General states ‘Given such a finding of infringements of the fundamental rights of citizens of the Union, according to the Advocate General the Commission ought to have suspended the application of the decision, even though it is currently conducting negotiations with the United States in order to put an end to the shortcomings found. The Advocate General indeed observes that, if the Commission decided to enter into negotiations with the United States, that is because it considered beforehand that the level of protection ensured by that third country, under the safe harbour scheme, was no longer adequate and that the decision adopted in 2000 was no longer adapted to the reality of the situation.’
New business practices may also be needed: in an article from July 2015 the Washington Post suggests Yahoo keeps information ‘local’ , partly to avoid crossing international boundaries with their differing legal systems. Certainly new legislation cannot be far away; safe harbor is clearly no longer adequate.