Light on a murky world

Those of us fortunate enough to work in the murky world of digital civil liberties have had our concerns about the veracity of the “Safe Harbor” agreement for quite some time.

From the data subject’s point of view, the CJEU ruling in the Schrems case is very welcome, although it has taken an excruciating 15 years to get here because of the European Commission’s inability to admit that the harbourmasters who employed the agreement were relying on an erroneous sea wall.

While the CJEU did not look at the merits of the Safe Harbor agreement, it concluded that it only applies to American companies who use it to receive data. However, US public authorities, like the NSA, are still not subject to it.

The court found that “national security, public interest and law enforcement requirements of the United States prevail over the Safe Harbor scheme”, and subsequently that Safe Harbor by itself cannot guarantee that privacy rights are respected because other laws take precedence.

It also found that some of these US laws are too broad and simply not compatible with our fundamental rights, stating: “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life”.

The judgment has echoed the Data Retention Directive judgment from April 2014, with the “double lock” that data retention can only take place when it is “limited” to what is necessary to achieve a specific objective, and accompanied by “independent authorisation of access” (going further than the UK’s recent judgment on data retention, which focused solely on access controls).

All of these combined elements, together with the fact that EU citizens have no legal remedy under those US laws, drove the court to declare Safe Harbor invalid.

Where next for your data?

So, what does this mean for the individual who may be concerned about his or her data being retained unlawfully in the US? In the very short term, nothing much will change. Your data will still be sent to America as if it was being placed in a “safe harbor”, and while the ruling has immediate and retrospective effect, it will take some time for new arrangements to be put in place.

The Article 29 Working Party statement has given companies (and EU member states) some breathing space, until the end of January 2016, to comply with the ruling. After that, they will begin the process of taking action against companies and governments still relying on the agreement. So, until the end of January, companies can (and potentially will) continue to make merry with your data until they are forced into another kind of contractual arrangement. Safeguards being mooted at the moment include Model Clauses or Binding Corporate Rules, although these kinds of agreements may well find themselves subject to legal challenge because of the same US national security concerns which ran roughshod over Safe Harbor.

Other options include asking for informed consent, but it will be awkward to ask customers to volunteer to be spied on by the US Government. Recent changes to the privacy policies of Facebook and Twitter have led to major outcries, although not to a huge loss of business.

Data protection authorities might need to examine individual arrangements, and may well rule that they are as invalid as Safe Harbor. However, any increased protection will rely on EU member states’ data protection oversight arrangements. The UK Government needs to ensure that the Information Commissioner’s Office is sufficiently resourced and capable of protecting our privacy rights.

The EU could promote its own cloud and internet services industry to encourage companies who keep data to stay within Europe’s jurisdiction. While this is not a long-term solution, it would provide an incentive for the US to act and help create an international framework that truly guarantees our privacy irrespective of where our data is located. The CJEU has observed that there is a fundamental lack of protections for EU citizens’ data in the US – so ultimately the US needs to change its laws.

Challenges to come

A29WP is now calling on the member states and the European institutions to begin discussions with US authorities in order to find “political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights”.

Those of us defending our human rights in the murky corridors would like to see this happening sooner, rather than later.

ORG Scotland does not expect companies sending data to the US to stop overnight, or at any rate on their own initiative, but they could be open to challenge. Individuals may soon be asking them what exactly they are doing to comply with the ruling. We will be asking our supporters, and anyone else who may have an interest in finding out what’s happening with their data, to write to the big internet companies to see what, if any, safeguards are being discussed.

Just be aware that any emails you send may well continue to be harboured unsafely across the digital pond, at least in the meantime.