The European Court of Justice has just published its view that the Safe Harbour agreement with the US for the transfer of personal data between the EU and the US is invalid.
The ruling follows the views laid out by Advocate General Bot on the 23rd September and was widely expected to follow his opinion.
Maximillian Schrems v Irish Office of Data Protection Commissioner
At the heart of this ruling is a case brought by Maximillian Schrems against the Data Protection Commissioner in Ireland over the way Facebook had transferred his personal data out of the EU. The initial ruling by Ireland’s Office of the Data Protection Commissioner (ODPC) was that Facebook had the right to move data as it met the existing Safe Harbour agreements.
Robert Lands, partner and head of intellectual property at law firm Howard Kennedy said: “In short, Schrems wants to prevent US intelligence agencies gaining access to his personal data by making it harder for US based businesses to collect personal data about EU citizens.”
That ruling has now been overturned. It will lead to a significant degree of concern by companies operating both sides of the Atlantic as to where they can now store their data. Companies such as IBM, HP, Amazon and other cloud companies that allow data to be backed up in the US from their European cloud data centres will also have to respond.
The biggest problem will be for the social media companies such as Facebook, Twitter and LinkedIn. They will now need to work out the implication of this ruling on their businesses in particular. It could, for example, require them to delete all the data that they hold on EU citizens in the US. Alternatively, they could ensure that they provide the same right to be forgotten as the EU requires of companies based in the EU as well as rights to access of data.
Safe Harbour just a self certifying scheme
There has been concern for some time that many US companies claim that they are covered by Safe Harbour protection despite not having the right processes in place. This is because there is no audit mechanism around Safe Harbour. Although it is administered by the US Department of Commerce all companies have to do is self-certify that they have reasonable standards in place to protect personal data.
According to Lands: “In 2000, the European Commission approved Safe Harbor as providing “adequate protection” for the transfer of personal data across the Atlantic. Since then numerous organisations have relied on the scheme to ensure that they are handling personal data lawfully.”
From a risk perspective European companies should have been asking for proof that US companies had met the Safe Harbour provisions before dealing with them. Few do as they just assume that Safe Harbour is all encompassing.
What can companies do?
Land believes that companies: “will need to consider their strategies around data transfers; if they have been relying on Safe Harbor to justify them then they will need to think of privacy-friendly methods to do so, which are compliant with the Data Protection Directive.
“Extra due diligence into service providers will need to be conducted as many companies out source their HR, pay roll and other tasks involving personal data about customers or staff. Further, European businesses using software which is supported from the US need to be wary- remote access can often allow a technician to view personal data in the US, meaning a transfer of personal data can occur.
“A more transparent and accessible approach should be taken to data sharing. Obtaining explicit consent to justify transfers and creating new agreements between companies which share data may be further ways of meeting the requirements of the Data Protection Directive.”
One view from Nigel Hawthorn European spokesperson at cloud security company, Skyhigh Networks is that encryption could be the solution. He said: “While legislators on both sides of the Atlantic decide how to move forward, business cannot stop.
“Organisations need to investigate technologies such as encryption or risk being dragged through the courts by privacy advocates, customers or employees. Tokenising or encrypting data flows before they are sent to the cloud, and keeping the keys on premise, means all of these issues disappear. There is no ‘personal’ data in the cloud service once it has been encrypted or tokenized.”
What happens next?
What will happen now is anyone’s guess. As the highest court in the European Union are charged with dealing with matter of Union law there is no appeal to the ECJ. However, national courts still have to interpret the rulings of the ECJ and choose how to implement them. In this case the difficulty will be in deciding how to allow data to be moved outside the EU when there is no valid agreement in place.
There is a further risk here that this ruling could completely derail the Transatlantic Trade and Investment Partnership that the EU and US are negotiating. The reason for that is TTIP was already proposing changes to the way data was handled which conflicted with the forthcoming European General Data Protection Regulation due to come in force next year.
There have been rumours for some time that US companies wanted to be exempt from the risk of a fine that could equal 5% of global turnover and wanted TTIP to exempt or limit damages. These rumours were part of the reason that the EU Commissioner in charge of TTIP has limited access to documents to just a few people who have to travel to Brussels to read them.
These are just a few of the implications of this ruling which will roll on for weeks now.
This is going to cause chaos for companies large and small and it will be interesting to see just how quickly privacy advocates and activists start filing lawsuits against US companies across Europe. National Governments will have already started to consider what to do after the ruling by Bot but few will have any spare time to have started framing laws to deal with this issue.
Just a few days ago the ECJ another ruling that will impact the way companies trade across Europe. It is not a good day to be in business.
Let the games begin.