The Court of Justice of the European Union produced a “landmark” decision in the case of Maximillian Schrems v Data Protection Commissioner declaring Safe Harbour to be invalid.

What’s this all about?

In short, the Data Protection Directive (which was implemented here in the UK by the Data Protection Act back in 2000) states that the personal data of a European citizen cannot be transferred outside of the European Economic Area (EEA) unless that country has an adequate level of protection for that data.

Only a few countries around the world have been granted adequacy status, currently: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay. On this basis, the European Commission deems the US as having inadequate data protection laws, meaning a solution to transferring data to the US had to be found. An agreement was reached between the Commission and the US Government, whereby US based companies could sign up to Safe Harbour by agreeing to comply with the “Safe Harbour Privacy Principles”, which was essentially a short form version of the Data Protection Directive. This allowed personal data from the EEA to be transferred to those companies that had signed up.

That sounds fair – so what’s the problem?

The Court’s verdict has re-affirmed what many data protection experts have been shouting about for years – that reform of the Safe Harbour system has been long overdue. The Court exposed the problems of a self-certification system based in a country with inadequate data protection laws, with the Court bringing to light (with a little help from the Snowdon revelations) the fact that:

  1. there was US legislation in place that completely undermined the safe harbour system – permitting national security, public interest and law enforcement requirements to prevail over it. The ability for public authorities to have such access to personal data compromised the essence of the fundamental right for private life; and
  2. (ii) no legal remedies were available to individuals who wanted to access personal data, correct, or even erase it.

So what now?

Many big tech companies like Microsoft, Facebook and Salesforce have already issued statements or blog posts saying exactly what we would have expected. Nothing to worry about here. Many believe that the ruling will not have much of an effect on business because they already have safeguards in place, predominantly in the form of model clauses, which form a series of European Commission approved contractual promises regarding the transfer of personal data to countries with inadequate data protection laws (i.e. the US). The purpose of the clauses is to allow a company based in the EEA to ensure that a transfer to a US company “protects the freedom and interest of the data subjects”.

However, the Court’s ruling has thrown the validity of the model clauses into doubt too. With the Snowden revelations showcasing the surveillance reaches of the National Security Agency and other US agencies, coupled with the lack of any legal recourse on the part of individuals to stop such surveillance and the exposure of security deficiencies and even complicity from companies in light of such surveillance powers, it’s hard to believe that model clauses are having any effect at all in the protection of data subjects’ interests and freedoms.

Like all contracts, the expectation is that clauses will be adhered to, rather than ignored, and the belief is that there needs to be much greater scrutiny of the actual processes and procedures adopted by companies in compliance with the model clauses; without this, it’s not so different to the self certification scheme that Safe Harbour was based on.

What does this mean for me?

The Information Commissioner’s Office (ICO) has, as expected, been quick to release a statement, commenting that “businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do this”. So there’s no reason to panic in the short term and there’s hope that the Article 29 Working Party, a committee of representatives from national data protection authorities across the EU, will release some form of guidance after it meets on 15th October.

Negotiations relating to a new Safe Harbour have been continuing and stalling for the last two years, but it’s anticipated that the Court’s ruling will focus the minds and introduce a new system in the not too distant future.

What do I do now?

Despite all the uncertainty, one thing is clear; change is on the way. However, the ICO has already stated it won’t be rushing into regulatory action, so don’t expect the use of model clauses to immediately follow the path of Safe Harbour – ultimately these have not yet been declared invalid, so there’s an expectation that many companies will seek to rely on them until told otherwise.

We all know Safe Harbour 2.0 is on the way. In the meantime, it’s expected that some businesses reliant on hosting companies may now investigate European only services; although an actual move seems premature as the tech industry awaits an update from the ICO and the Article 29 Working Party. Watch this space!