Not So Safe Harbour - An Examination

Posted on Oct 19, 2015
By: Alex Hamilton

Radiant Law's blog article following the European Court of Justice's ruling of US-EU Safe Harbour as invalid.


In the ongoing debate around personal privacy and the internet, it had seemed, for several years, as if matters were moving in one direction. In this digital, interconnected world, the very concept of ‘personal privacy’, particularly amongst a generation that has grown up online as much as anywhere else, is one which has become increasingly blurred, not to say all but non-existent.

Whilst many people seem perfectly happy to upload increasingly personal details of their private life, seemingly blithely unconcerned as to how, when and where those details might eventually come to be shared, there still exists a legal framework designed to protect our basic right to privacy.

It is this framework which has been thrown into the spotlight recently, following the decision by the European Court of Justice to render the legal instrument known as Safe Harbour invalid.

The European Safe Harbour agreement was created in the year 2000, as a means by which companies in the United States would be allowed to transfer information and data belonging to EU citizens from Europe to the USA. The agreement was needed because the privacy safeguards in the US fail to meet those which are upheld in the EU.

As such, Safe Harbour was negotiated and enshrined as a means via which US companies could self-certify to the effect that they were taking all the steps necessary to protect the data of EU citizens. In short, it created a single legal standard for consumer privacy and data storage applicable across the whole of the EU and the US. The simple fact that Safe Harbour was only established 15 years ago underlines the fact that it is another in a long line of legislators’ attempts to get to grips with the tectonic shifts which the ubiquity of the internet has wrought upon the gathering, transmitting, storing, sharing and safeguarding of information.

The globalisation of information via which vast swathes of data pour across borders and in and out of differing legislations every second of every day, means that agreements of this kind are vital to the businesses which thrive on either the details of this information or, if not on the details, on the capacity to transfer it smoothly. That’s why the decision to render Safe Harbour invalid could have such far reaching consequences.

The catalyst for the change in the law was the revelation, based upon the leaks provided by Edward Snowden that the National Security Agency (NSA) in the US was trawling through information held by companies such as Twitter and Facebook in a manner which was blatantly in breach of privacy legislation in Europe.

In short, US companies - and an estimated 4,500, some very large indeed, are thought to have made use of Safe Harbour - can sign as many items of self-certification as they like, but the necessary protection won’t be in place because the wishes and requirements of the US government supersede all other arrangements. The wording of the ruling handed down by the European Court makes this distinction clear through a somewhat guarded reference to mass government surveillance: "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life."

As with so many momentous changes, the end of Safe Harbour as it has operated thus far had its beginnings in the actions of a single individual unhappy with the way the system was working. In this case it was Austrian student Max Schrems, who, following the Snowden revelations, brought a case against Facebook in Ireland, the location of the company’s European headquarters. The crux of his case was that the NSA mass surveillance of data gathered in Europe but transferred to the US represented a violation of his privacy. The Data Protection Commissioner in Ireland initially rejected the case on the grounds that Safe Harbour applied, but the subsequent appeal to the European Court of Justice resulted in this weeks ruling, one which cannot be appealed.

In a statement following the ruling, Schrems was certain of what the implications were: "I very much welcome the judgment of the Court, which will hopefully be a milestone when it comes to online privacy. This judgment draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible ... This decision is a major blow for US global surveillance that heavily relies on private partners. The judgment makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights."

The Irish Data Protection Commissioner also welcomed the judgement, but pointed out that the challenge from this point on lies in crafting other frameworks, whether through a ‘Safe Harbour 2.0’, or a series of smaller interlocking measures through the vital exchange of information upon which so many businesses rely on can continue.

Her statement maintained that: “….my Office will immediately engage with our colleagues in other national supervisory authorities across Europe to determine how the judgment can be implemented in practice, quickly and effectively, particularly insofar as it impacts on EU/US data transfers."

Whilst the transfer of information from the EU to the US isn’t going to stop overnight, there’s no doubt that alternatives will have to be arrived at, since companies and authorities will be nervously waiting for the next legal challenge to arrive, whilst advocates for online privacy will look upon this as the perfect opportunity to reclaim what had seemed to be a moribund concept, i.e. that the information you hand over to companies should be handled with a degree of confidentiality.

Of course, alternatives to Safe Harbour do exist, but their cumbersome and time consuming nature tends to illustrate why there was a call for a streamlined, catch-all answer like Safe Harbour to begin with.

One answer, for example, would be to simply gain consent from the person involved. Here, however, the use of the word ‘simply’ tends to be somewhat misleading. Consent of this nature, in order to be legally binding, needs to be freely given, something which comes up sharply against two different factors; the complex and often misleading nature of many online ‘terms and conditions’ and the fact that, under European law, consent granted by employees isn’t seen as having been freely given. Since much of the information covered by Safe Harbour pertains to employees, this is a major caveat.

Above and beyond these facts, a consent system would rely upon multiple consents being given across a range of different sites and data sets, with the individual concerned being reminded, each time, that they may well be consenting for the US government to legally spy on them.

Another option is for companies to draw up ‘model clauses’ dealing with data protection, which can be inserted into contracts, or for the data itself to remain in cloud storage based in Europe itself. In a world in which data transfers have broken down national borders and massively improved and accelerated the sharing of information, either one of these would be retrograde steps completely at odds with current and future business practices.

In the short term, the aim must be for individual businesses to implement legal safeguards to protect their customers and employees from breaches of privacy and the wider business from a legal challenge.

Looking into the future, it is vital that the EU and US authorities speed up the negotiations for an updated Safe Harbour, negotiations which have been ongoing for the past two years, in order to ensure that the swift and easy sharing of information, and the privacy of the individual, are not mutually exclusive.