Anne-Marie Bohan and Andreas Carney consider Safe Harbour, Privacy Shield and what’s next for trans-Atlantic data flows.
Until recently, data protection rarely came up around the boardroom table, let alone in dinner conversation. But that’s changed. Data breaches are now big news. The hacking of Sony Pictures nearly caused an international incident when the US pointed the finger at North Korea. The bitcoin ransoming of information on users of the Ashley Madison service piqued the public’s interest.
Edward Snowden and Maximillian Schrems, self-proclaimed privacy advocates, have played their parts as catalysts for an evolution in how personal data rights are perceived and how the use of such data is regulated. And nowhere has that change been felt more than in the area of personal data transfers from Europe to the US.
Data protection law prohibits the transfer of personal data to the US unless a condition legitimising the transfer is satisfied. So if the European Commission determines that a jurisdiction ensures an adequate level of protection for the use of personal data, either through its domestic laws or international commitments, a condition is met. Seems simple enough.
The Safe Harbour framework was based on such a determination. It allowed the transfer of personal data to the US if the recipient signed up to the Safe Harbour principles, a set of commitments around the use of data, and self-certified compliance.
Safe Harbour, however, came under close scrutiny following the Snowden revelations of mass surveillance by US authorities in 2013. The Commission re-examined it and sought for US authorities to address shortcomings it identified.
Data protection law prohibits the transfer of personal data to the US unless a condition legitimising the transfer is satisfied
The European Parliament took a harder stance and called for the immediate suspension of Safe Harbour on the basis that it did not adequately protect EU citizens and their data.
Meanwhile, Maximillian Schrems, a Facebook user, complained to the Irish Data Protection Commissioner that in light of the Snowden revelations, the laws and practice of the US did not sufficiently protect personal data coming from the EU and that transfers of his data to the US should stop. A court action ensued, which ultimately resulted in the Court of Justice of the European Union (CJEU) striking down Safe Harbour late last year.
A key point underpinning the CJEU decision was that Safe Harbour permitted a derogation from the principles it laid down whereby the use of data was necessary to meet national security, public interest or law enforcement requirements.
This turned out to be Safe Harbour’s Achilles’ heel, because it meant that data transferred to the US using Safe Harbour could subsequently be collected and used by US security and law enforcement agencies free from the Safe Harbour principles. While the agencies were subject to US laws regarding the use of data, the CJEU ruled that the Commission had not, as part of its decision approving Safe Harbour, determined that those laws provided an adequate level of protection for EU citizens and their data.
In July this year the Commission and the US Department of Commerce agreed Privacy Shield, a new framework for EU – US data transfers. It seeks to address Safe Harbour’s shortcomings, among them the issues of mass collection of data by US authorities and the lack of a right of redress for EU citizens under US laws.
Regarding the collection of data flowing from Europe by US authorities, the Office of the Director of National Intelligence has given commitments regarding data collection and is at pains to point out very specific pre-conditions apply for data access.
But it may not be all plain sailing for Privacy Shield. The Commission can – if it believes that the framework no longer provides an adequate level of protection – suspend the framework itself. The legitimacy of Privacy Shield, like its predecessor, may be challenged. If that were to happen, it would be a matter for the CJEU to decide whether it stands up to legal scrutiny.
The next chapter on data transfers is already playing out in the Irish courts. The Commissioner is seeking a ruling from the CJEU on whether, following the Schrems decision, the transfer of data to the US on an alternative basis – namely the model clauses – is permissible.
One interested party to those proceedings estimated that if the existing channels for data flows from Europe to the US are ruled invalid, that could cause losses to the European economy of €143bn. It seems unthinkable, therefore, that data flows between the EU and US will just stop. But it may ultimately require a change of law in the US to satisfy the sceptics.