Tag: Data Transfers

Safe Harbour 2.0 – Not really safe nor sound

Round 2!

Round 2!

So, back in 2013, the revelations of the massive and indiscriminate surveillance conducted by the US authorities have prompted EU demands regarding the strengthening of the Safe Harbour mechanism.

As you may well be aware by now, the conclusion of the very lengthy negotiations between the EU and the U.S. for the new EU-US Safe Harbour – christened “EU-US Privacy Shield” and intended to replace the former Safe Harbour Agreement – has apparently come to an end.

Which seem to be quite good news, considering how intricate those negotiations were.

Certainly, the approval of the Cybersecurity Information Sharing Act (CISA), according to which, upon ‘cyber threat’ indicators, companies are encouraged to share threat intelligence information with the US government by being absolved of liability for data security, did not help the case. Indeed, this undoubtedly poses a problem for the EU when such information includes some European citizens’ personal data.

Similarly, the delays on the proposed Judicial Redress Act, which would allow European citizens to seek redress against the US if law enforcement agencies misused their personal data, only added up to the existing complication.

The fact that negotiators were running against the clock was another stressful point.

Time was pressing for companies which rely on the Safe Harbour framework to freely transfer data between the United States and the European Union. Indeed, last October, the Court of Justice of the EU ruled that the Safe Harbour decision was invalid (case C-362/14). Consequently, companies had to rely on other legal basis to justify the transfers of personal data to the US.

Moreover, the Article 29 Working Party established the end of January as the turning point date where it would all necessary and appropriate action if no alternative was provided.

The end of January indeed passed and at the beginning of February the conclusion of the negotiations was finally announced.

However no bilateral agreement was really reached, as the new framework is based on “an exchange of letters” with written binding assurances.

The US have indeed offered to address the concerns regarding the access of its authorities to personal data transferred under the Safe Harbour scheme by creating an entity aiming to control that such activity is not excessive. Moreover, access to information by public authorities will be subject to clear limitations, safeguards, and oversight mechanisms.

Thus said, the conclusion of these negotiations represent good news. At least in theory. Certainly, in the EU Commission own words, the new framework “will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses“.

The EU Commission further stated that the new mechanism reflects the requirements set out by the European Court of Justice in its Schrems ruling, namely by providing “stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities.”

Moreover, it said that the new mechanism “includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access.”

It appears that mass and indiscriminate surveillance would constitute a violation of the agreement. However, it would still be permissible if a targeted access would not be possible.

Furthermore, “Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.” This independent entity is yet to be appointed.

The cornerstones of the arrangement therefore seem to be the obligations impending on companies handling personal data of EU data subjects, the restriction on the US government access and the judicial redress possibilities.

A joint annual review is intended to be put in place in order to monitor the functioning of the agreement

Nevertheless, in spite of what is optimistically expected and what one is lead to believe by the EU Commission’s own press release, one must wonder… What has really been achieved in practice?

To begin with, it seems that we are supposed to rely on a declaration by the US authorities on their interpretation regarding surveillance.

Unsurprisingly, many fail to see in what way this new framework is fundamentally different from the Safe Harbour, let alone that it complies with the requirements set out by the CJEU in the Schrems ruling. Hence, it is perhaps expectable that the CJEU will invalidate it on the same grounds it invalidated the Safe Harbour framework.

While US access to EU citizen’s data is expected to be limited to what is necessary and proportionate, as the devil is generally in the details, one must legitimately ask what is to be deemed necessary and proportionate in regards of such surveillance.

It is indeed unavoidable to think that such a framework does not ensure the proper protection of the fundamental rights of Europeans where their data is transferred to the US, nor provide sEU citizens with adequate legal means to redress violations, namely in regards of possible interception by US security agencies.

Anyway, at the moment, the ‘Ombudsperson’ has not yet been set up by the US nor any adequacy decision has been drafted by the EU Commission.

What does this mean in practice?

Well, as transfers to the United States cannot take place on the basis of the invalidated Safe Harbour decision, transfers of data to the USA still lack any legal basis and companies will have to rely upon on alternative legal basis, such as Binding Corporate Rules, Model Contract Clauses or the derogations in Article 26(1).

However, the EU data protection authorities (DPAs) did not exclude the possibility, in particular cases, of preventing companies to adopt new binding corporate rules (BCRs) or install model contract clauses regarding new data transfer agreements. It will be assessed if personal data transfers to the United States can occur under these transfer mechanisms. However, the fact that the data transferred under these methods are subject to surveillance by U.S. national security agencies mechanism is the same issue which lead the CJEU to rule the Safe Harbour Framework as invalid.

In the meantime, the Art.29WP expects to receive, by the end of February, the relevant documents in order to assess its content and if it properly answers the concerns raised by the Schrems judgement.

It further outlined that framework for intelligence activities should be orientated by four ‘essential guarantees’:

A. Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to foresee what might happen with her/his data where they are transferred;
B. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: a balance needs to be found between the objective for which the data are collected and accessed (generally national security) and the rights of the individual;
C. An independent oversight mechanism should exist, that is both effective and impartial: this can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks;
D. Effective remedies need to be available to the individual: anyone should have the right to defend her/his rights before an independent body.

Thus said, an ‘adequacy decision’ still has to be drafted and, after consultation of the Art.29WP, approved by the College of Commissioners. In parallel, the U.S. Department of Commerce is expected to implement the agreed-upon mechanisms.

So, let’s wait and see how it goes from here…

The ‘Safe Harbor’ Decision ruled invalid by the CJEU

Safe harbor?!? Not anymore.

Safe harbor?!? Not anymore.

Unfortunately, I hadn’t had the time to address the ruling of the CJEU issue last October, by which the ‘Safe Harbour’ scheme, enabling transatlantic transfers of data from the EU to the US, was deemed invalid.

However, due to its importance, and because this blog is primarily intended to be about privacy and data protection, it would be shameful to finish the year without addressing the issue.

As you may be well aware, article 25(1) of Directive 95/46 establishes that the transfer of personal data from an EU Member State to a third country may occur provided that the latter ensures an adequate level of protection. According to article 25(6) of the abovementioned Directive, the EU Commission may find that a third country ensures an adequate level of protection (i.e., a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the directive read in the light of the Charter of Fundamental Rights) by reason of its domestic law or of its international commitments.

Thus said, the EU Commission adopted its Decision 2000/520, by which it concluded that the “Safe Harbour Principles” issued by the US Department of Commerce ensure an adequate level of protection for personal data transferred from the EU to companies established in the US.

Accordingly, under this framework, Facebook has been transferring the data provided by its users residing in the EU from its subsidiary in Ireland to its servers located in the US, for further processing.

These transfers and, unavoidably, the Decision had been challenged by the reference to the CJEU (judgment in Case C-362/14) following the complaint filed by Max Schrems, a Facebook user, before the Irish DPA and subsequently before the Irish High Court. The main argument was that, considering the access electronic communications conducted by its public authorities, the US did not ensure adequate protection of the thus transferred personal data.

According to the AG’s opinion, “the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data”.

Despite considering that a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU, the CJEU considered that the decision fails to comply with the requirements established in Article 25(6) of Directive and that the Commission did not make a proper finding of adequacy but merely examined the safe harbour scheme.

The facts that the scheme’s ambit is restricted to adhering US companies, thus excluding public authorities, and that national security, public interest and law enforcement requirements, to which US companies are also bound, prevail over the safe harbour principles, were deemed particularly decisive in the assessment of the scheme’s validity.

In practice, this would amount to enable the US authorities to access the personal data transferred from the EU to the US and process it in a way incompatible with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security.

As a result, the Court concluded that enabling public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.

The Court stated that the decision disregards the existence of such negative interference on fundamental rights, and that the lack of provision of limitations and effective legal protections violates the fundamental right to effective judicial protection.

Upon issuance of this ruling, the Art29WP met and concluded that data transfers from the EU to the US could no longer be legitimized by the ‘Safe Harbor’ decision and, if occurring, would be unlawful.
While its practical implications remain unclear, the ruling undoubtedly means that companies relying on the ‘Safe Harbor’ framework for the transfer of personal data from the EU to the US need to rely, instead, on another basis.

In this regard, considering that not all Member States accept the consent of the data subject or an adequacy self-assessment as a legitimizing legal ground for such cross-border transfers, Model Contractual Clauses incorporated into contracts and Binding Corporate Rules (BCR) for intragroup transfers seem to be the most reliable alternatives in certain cases.

Restrictions on data transfers are obviously also foreseen in the GDPR, which, besides BCRs, Standard Contracts and adequacy decisions, includes new data transfer mechanisms such as certification schemes.

You can find the complete version of the ruling here.

© 2023 The Public Privacy

Theme by Anders NorenUp ↑