A safe harbour no longer

The United States is no longer regarded as a "safe harbour" for EU data - and that's big (and welcome) news for Europeans.

In 1995, the European Union adopted the Data Protection Directive, which regulates how personal data is handled in the EU. As per all EU directives, each member state enacted their own legislation to implement the directive.

An important consequence is that companies are not permitted to send personal data outside the European Economic Area unless adequate levels of protection can be guaranteed.

The Safe Harbour Privacy Principles were developed so that U.S. companies could meet this standard, provided they were annually certified. In 2000, the European Commission decided that U.S. companies that complied were able to transfer personal data from the EU to the U.S. - the so-called Safe Harbour Decision.

This decision was extremely convenient for companies such as Facebook, which store their users' data in the U.S., as do many other U.S. companies.

The Safe Harbour Decision has not been without controversy, as although the U.S. does have its own Privacy Act (of 1974), this does not protect the data of foreigners. In addition, there are exemptions in the Act for the Department of Homeland Security and other government agencies.

Enter Austrian privacy activist Max Schrems, who in 2014 filed a complaint against Facebook Ireland with the Irish Data Protection Commissioner. The essence of his complaint was that Facebook was transferring his personal data to the U.S., and in the light of Edward Snowden's revelations about the PRISM surveillance program, adequate levels of protection were not guaranteed.

His complaint was rejected, and so Schrems took the complaint to the Irish High Court, which in turned referred the case to the Court of Justice of the European Union - the chief judicial authority of the EU.

On 6 October 2015, the court ruled the Safe Harbour framework to be invalid, a hugely significant decision. The ruling was strongly worded, which means it may be difficult to replace the framework.

This will have a far-reaching effect on the thousands of U.S. companies that transfer the personal data of EU citizens to the U.S. Apparently, EU privacy regulators have set January 2016 as a deadline for a resolution to be reached - or they may begin to suspend data transfers. It may be that U.S. companies will need to set up EU data centres to store EU personal data.

Posted by John Faulds in