Is the Safe Harbor Agreement Still Adequate?
21 Apr 2015
The Safe Harbor Agreement has, once again, been thrust into the limelight with its adequacy in question. “Does it really protect EU citizen data?” is the question that Max Schrems has taken all the way to the European Court of Justice (ECJ). And he wants answers!
Who is Max Schrems?
Schrems is an Austrian law student who has brought a class action against Facebook Ireland for the inadequate protection of EU citizen data. He founded the Europe-v-Facebook group so that he can challenge the adequacy of the Safe Harbor Agreement and try to make a change. His website now also provides news, legal information and tools to help others understand and enforce their rights.
Europe-v-Facebook: the facts
The class action was brought against Facebook Ireland, who are responsible for all Facebook accounts outside of the US and Canada, for alleged privacy breaches against EU citizens. The main point to come out of the case so far is the effects of the US National Security Agencies PRISM Scheme. Under US law US government agencies have the power to access the personal data of non-US citizens and impose secret “gag orders” on US companies which forces them to hand over this personal data and not disclose the fact to anyone. With these laws in place, can any US company truly protect the data of EU citizens?
What does this mean?
An international organisation wishing to transfer data out of the EU into the US can do so if they are certified under the Safe Harbor Agreement as having adequate data protection policies in place. What Max Schrems is arguing is that this is surely impossible. Through no fault of their own US companies who are certified under the Safe Harbor Agreement cannot guarantee the level of protection necessary to comply with EU law. All US companies are subject to US law, meaning the NSA can hand them a court order forcing them to hand over data.
What has Europe said?
Under the current Data Protection Directive “the transfer of personal data to a third country which does not ensure adequate protection must be prohibited” and in a recent hearing of Schrems case the European Commission admitted that they could not confirm whether the Safe Harbor afforded adequate protection. According to the current Directive if the Commission cannot guarantee adequacy then they must stop the transfer of data out of the EEA. Surprisingly they have not prohibited anything in response to the Europe-v-Facebook case, they chose to ‘advise’ EU citizens that “If you don’t want your data to go to the US, close your Facebook”. The Commission have failed to see, or chose to ignore, the fact that it’s not just Facebook who are subject to “gag orders”, it is all US-based companies. This severely damages the integrity of the Safe Harbor Agreement.
What the Europe-v-Facebook case has done is highlight the issues surrounding the Safe Harbor Agreement bringing it to the public attention yet again (remember Edward Snowden?), with some calling for it to be binned. However, a suspension of the agreement would have a detrimental effect on both American and European companies so it is in everyone’s best interest that it remains in place, but with improvements made.
So, is the Safe Harbor adequate? Personal opinions aside, we are still waiting to find out if it is adequate or not. There are two things you need to be aware of!
1. Vera Jourova, the EU’s Commissioner for Justice, is currently in negotiations with her US counterparts to make changes to the Safe Harbor Agreement so it can be improved rather than suspended. Jourova intends on finishing negotiations by the end of May 2015, hopefully giving us some clarity. All we can do now is wait for the new and, hopefully, improved version of the Safe Harbor Agreement.
2. The ECJ will announce their decision in the Europe-v-Facebook case on the 24th June 2015 so we will have the adequacy question, hopefully, answered!