In search of a new Safe Harbour: The EU’s push for new data transfer regulation with the US may be part of the problem
Aftershocks are continuing to come following the European Court’s ground-breaking ruling on 6 October outlawing the “safe harbour” arrangements.
The ruling isn’t just worrying for Silicon Valley giants, such as Facebook and Google, who rely on Safe Harbor to transfer their EU users’ data, but also for global businesses that manage employee data in the US, and indeed smaller organisations who outsource that data processing to cloud companies.
Shortly after the decision, EU data protection regulators issued a statement on its implications. Key to any satisfactory solution was an intergovernmental agreement with the US. Although on-going discussions on improving “safe harbor” were relevant, it wanted a more broadly scoped agreement with transparency, proportionality and individual redress.
Read more: Tech terror risk – but is new electronic surveillance legislation justified?
One major concern, post the Snowden revelations, was indiscriminate surveillance by security organisations such as the National Security Agency (NSA).
In fighting terrorism the NSA is after the “bad guys”. But unless it already has suspicions, should it look at the good guys to spot the bad guys? Big questions – with significant implications for civil liberties and human rights.
Safe harbour apart, the other main route for US data transfer was the “model clauses” – a standard agreement approved by the European Commission. Though the Working Party suggested that model clauses could still be used, it set a deadline of January 2016 for the EU and US to come up with a longer-term solution. But it flagged up that individual data protection authorities might pre-empt matters and take action themselves.
Sure enough, some are flexing their muscles. The state regulator in Schleswig-Holstein has cast doubt on model clauses saying that data transfers based on these were no longer permitted and that suspension of transfer should be considered. Earlier this week (26 October) data protection regulators in Germany issued a statement casting further doubt; the Portuguese regulator has followed suit.
Read more: Why the ECJ's ruling on Safe Harbour is important for data protection
Though something of a mess, there are signs of hope. The US House of Representatives has approved the Judicial Redress Act which will permit certain non-US citizens to bring privacy actions.
That will not solve the safe harbour problem but goes some way to doing so.
Speaking last week Julie Brill, Commissioner of the Federal Trade Commission said that though thousands were facing the task of renegotiating contracts and adjusting data flows, she was optimistic that a solution would be found. The European Court had given a stimulus for a more robust solution than safe harbour.
What is needed is co-operation and collective agreement. The drive by the EU to create a new Data Protection Regulation may be part of the solution. But it is also part of the problem.
There is a rather arrogant view that while the EU offers proper privacy rights, protection offered in the US is “not adequate”. Although there may be truth in some of this, protection within the EU is focused on the procedural and the bureaucratic rather than the substance.
If there is real impetus to sort out international data transfers, some give and take may be required – and delaying the new Regulation may be for the best.