Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

What is the 'Safe Harbor' agreement?

Margi Murphy | Oct. 7, 2015
Facebook, Google, Oracle and US tech companies will need to "urgently review" their data transfer arrangements from UK and Europe or risk breaching data protection laws, following this morning's landmark court ruling.

Why is this ruling surprising?

There are significant political and economic consequences of declaring Safe Harbor invalid, and it seemed unlikely that the European courts would make such a bold move.

Further, the quick ruling - just one week after legal adviser to state government, the Advocat General, released his opinion on Safe Harbor - is not in line with typical European court litigation.

As Rupan explains: "Typically, the European Court delivers its ruling approximately three to six months after publication of the Advocate General's opinion. While the exact reasons for the momentum of the judgement are unclear, it will certainly increase pressure on the ongoing renegotiations of the US-EU Safe Harbor Framework between the European Commission and the U.S. government, which appear to have stalled."

Post Snowden and Schrems: what steps should my business take?

The European Commission has campaigned for Safe Harbour reforms due to its self regulatory nature for three years, so while the definitive ruling is a surprise, the opinions of the state advisers are not.

"The Schrems case will help to bolster on-going negotiations between the EU Commission and the US Department of Commerce for reforms to the Safe Harbour framework. Given the crippling effect ending Safe Harbor would have on US businesses, especially those in tech sector, this case is likely to help accelerate a deal being achieved for Safe Harbor reforms.," says Rupan.

But Safe Harbor is not the only way European firms can transfer personal data to the US. There are alternative ways of ensuring adequate protection for personal data relating to EU citizens, such as implementing binding corporate rules or executing "model clauses" contract between the data exporter and data importer.

This could prove troublesome, Rupan explains: "The binding corporate rules only works for intra-group data transfers and model clauses will need to be put in place between each data exporter and each data importer which may be prove to be impractical where a US company has thousands of EU-based customers.

"Consent of the individual may also be used to justify certain transfers to the US, but consent is tricky as it must be specific, informed and freely given."

In a statement, privacy advocate Schrems said: "I very much welcome the judgement of the Court, which will hopefully be a milestone when it comes to online privacy. This judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible.

"The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it. This decision is a major blow for US global surveillance that heavily relies on private partners. The judgement makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights.

"At the same time this case law will be a milestone for constitutional challenges against similar surveillance conducted by EU member states."

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.