The Story Behind Safe Harbor and Privacy Shield
Author Aurélie Pols
Author Aurélie Pols
It’s not uncommon in today’s world to hear about companies being hacked and data being stolen. And while a lot of these cases end up in court, there hasn’t been a lot of litigation about data protection. In other words, there haven’t been a lot of court cases about privacy.
We’ve been increasingly hearing about security breaches and subsequent settlements, the most recent one involving the dating site Ashley Madison. Yet privacy and personal data issues have rarely been put in front of the courts.
The wider public remains unaffected and while some in the digital analytics industry might have heard about Adobe’s data breach, business has continued as usual for over a decade.
However, there’s one exception.
In October 2015, an international data transfer framework, known as Safe Harbor, was declared invalid by the European Court of Justice (ECJ) in Luxemburg. The privacy principles were ruled to leave the companies too much room for negligence when it comes to transferring data of the EU citizens to the United States.
You might recall Edward Snowden disclosing mass surveillance practices that were carried out by the US National Security Agency (NSA) under a program called PRISM.
To cut a long story short, an Austrian law student by the name of Max Schrems, who was following these allegations, argued in an Austrian court that his European privacy rights were not being upheld by Facebook when using the service, as data was being transferred to the United States.
Facebook argued the Austrian courts were not competent to rule on this as Facebook’s European operations are based in Ireland. The discussion was therefore moved to Ireland, which subsequently pushed the matter to the European Court of Justice (ECJ) in Luxembourg.
Based on the information shared by Max Schrems, the ECJ ruled in his favor and basically, from one day to another, the piece of paper that allowed companies to make international data transfers from the EU to the US was now invalid.
A period of confusion, which isn’t over yet, followed as recommendations were made by the Article 29 Working Party on alternative methods to assure the legality of these data transfers. Two alternative methods emerged: standard contractual clauses or binding corporate rules (BCRs).
Both are legal instruments that would be too long to explain in this blog post, but basically companies that were paying attention as of October 2015 moved to sign standard contractual clauses (or model clauses) with their data partners, if they didn’t have BCRs in place. This meant having one contract for each data partner.
Clearly, working under Safe Harbor involved a lot less paperwork for everybody than the new solutions.
Even though Safe Harbor had been invalidated, data still needed to be transferred between Europe and the US in order for companies to continue their day-to-day business.
The European Commission needed to find a solution to make sure businesses could continue to operate. And they needed a solution fast!
The way democracy works is when courts and the judiciary rule, then the executive arm of our European democracy has to follow suit.
So, the Article 29 Working Party, the consultative body related to data protection, stated that while the Commission figured things out, a moratorium would be accepted for a couple of months before standard contractual clauses had to be put in place.
That’s where Privacy Shield was brought to life in July 2016.
Also called Safe Harbor 2.0, Privacy Shield strengthened obligations related to this self-certification scheme to assure lawfulness of international data transfers between the EU and the US.
Note that Switzerland is a specific case as they had their own Safe Harbor and was aligned as of January 2017 to allow companies to apply to the Swiss-US Privacy Shield scheme as of April 2017.
Learn how GDPR will change web analytics and data collection practices:download FREE guide
The efforts being made to update the data protection regime in Europe exist to reaffirm the rights of citizens within the growing data economy.
To assure frictionless business processes and free flow of data, the EU Commission has set up a procedure where non-EU countries can ask for what’s called “adequacy”:
“to define whether a third-country ensures an adequate level of protection by reason of its domestic law or of international commitments it has entered into”.
Privacy Shield today, and Safe Harbor before, are examples of such international commitments.
The following countries are included in the list of “adequate data protection regimes”:
Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, the State of Israel, the Isle of Man, Jersey, New Zealand, the United States and the Eastern Republic of Uruguay.
This means that typically, transferring personal data from the EU towards those countries is easier. Additional protective measures need to be taken when transferring data to India, for example.
The GDPR confirms in article 45 that the transfer shall not require specific authorization if done based on this adequacy decision.
So there’s no issue with transferring data, for example, to Israel or across Europe – the UK is included for now, but depending on how Brexit evolves and from that angle, it’s not rosy either!
If this is not the case, as stipulated in article 46, transfer might still proceed under 2 conditions:
And this is where the current Privacy Shield kind of hits the rubber on the road:
Privacy Shield stipulates an ombudsman/woman would be appointed to support those rights.
The Trump administration unsurprisingly took its time to appoint someone and doubts have emerged about the (political) independence of that person.
And although Privacy Shield exists today, it is up for review after the summer (the 2017 European summer) and is increasingly being criticized.
Article 49 mentions derogations for specific situations when such adequacy decisions do not exist. One of these is rather clear in 1 (a): “the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of adequacy decision and appropriate safeguards”.
Another change that will be brought on by the introduction of the GDPR will be the replacement of the Article 29 Working Party.
Traditionally, the Article 29 Working Party has had little power in bringing about any real change – it took them 10 years to get IP addresses classed as personal data, which only came about because of a ruling by the ECJ.
When the GDPR comes into effect on May 25, 2018, the Article 29 Working Party will become the European Data Protection Board (EDPB) and thankfully will have more power, aligned with the description of its tasks in article 70.
It will be interesting to see how international data transfers will continue to evolve considering Privacy Shield’s imminent review and whether even standard contractual clauses will survive judicial scrutiny.
For now, data is increasingly being stored on EU soil to assure the rights of EU data subjects are respected, as enshrined in the treaties that recognize our fundamental rights.