Safe Harbor on trial in the European Union

 

The Safe Harbor framework is an agreement between the U.S. and the E.U. that allows U.S. companies to lawfully transfer a wide variety of personal data – from IP addresses to employment information – without clashing with E.U. data protection laws. The framework was established to help overcome differences in how user privacy is protected on either side of the Atlantic. To do so, U.S. companies voluntarily adhere to a set of principles under the supervision of the Federal Trade Commission (FTC).

Often criticised, the framework was already reviewed twice (in 2002 and 2004) and is currently under increased scrutiny in the E.U. In November 2013, the Commission put forward a series of 13 recommendations for the U.S. to implement that would improve the Safe Harbor immensely if implemented.

When newly appointed Justice Commissioner V?ra Jourová addressed the European Parliament at her confirmation hearing, she expressed “strong doubts” that Safe Harbor was really secure. Despite this, she said she is not willing to scrap the agreement without a plan B.  Her new colleague, Andrus Ansip, the incoming EU Commissioner for the Digital Single Market, seemed to hold a different opinion: after being asked about the current Safe Harbor negotiations, he replied that if there are no satisfying results from negotiations with the U.S., “the suspension of the agreement might then be the option.” Ansip’s declaration was a strong rebuke of the U.S. data protection policy strategy. However, as the European parliament suggested in its evaluation report, Ansip “failed to provide a concrete indication for a Commission decision on the suspension”.

The U.S. and the E.U. had committed to revise Safe Harbor by the summer of 2014. But the deadline passed without meaningful action and further developments are expected in the coming months. Nor are they guaranteed to improve. Signs from the U.S. are not positive. Ted Dean, deputy assistant secretary for services at Commerce’s International Trade Administration, referred to the E.U. Commission’s recommendations as mere suggestions, indicating that the U.S. may not be taking the negotiations seriously. If the U.S. is indeed willing to improve the transparency of the framework – for example by publishing on the website of the Commerce department clear labels next to companies which are not current members of the scheme – there are still lingering issues about a lack of enforcement. For instance, it is still unclear whether or not the U.S. will implement the entirety of the E.U.’s recommendations, such as empowering the FTC to conduct  ex-officio investigations to assure that U.S. companies are in compliance with their privacy policies and that any false claims would eventually be further investigated.

Referral in court

Following years of controversy, the agreement will now have to face the Court of Justice of the European Union. Austrian privacy activist Max Schrems filed a case in Irish court against Facebook was referred to the Court of Justice to examine the legality of the Safe Harbor agreement with E.U. law.

Schrems’ claims against Facebook were quite clear: the National Security Agency’s PRISM programme highlighted that no meaningful data protections for Europeans exist under U.S. law and that Facebook Ireland was “facilitating the processing of such data.” In a letter dated 26 July 2013, the Irish Data Protection Commissioner refused to investigate Facebook because the Irish branch of the company was registered under the Safe Harbor arrangement and provided access to U.S. law enforcement. Following these considerations, the Irish High Court decided on 18 June 2014 to refer the case to the Court of Justice.

While the Court of Justice ruling is expected by the end of 2015, various committees of the European Parliament have called for an official intervention in the case. In April of this year, the Parliament already called for the immediate suspension of the Safe Harbor agreement in its report on mass surveillance activities as it fails to provide adequate protection for E.U. citizens.

What to expect?

Certainly, the referral to the European Court of Justice comes at a time when the debate is heating up in the E.U. on data transfer for commercial and national security purposes. The Snowden revelations led to the relaunch of discussions on an E.U.-U.S. umbrella agreement, a scheme that will regulate personal data transfer from the E.U. to the U.S., for the prevention, detection, investigation and prosecution of criminal offences. Moreover, the E.U.-Canada Passenger Name Record agreement – a pact regulating information exchange between the E.U. and Canada – is currently under discussion in the European Parliament.

Could the Safe Harbor agreement be suspended without a plan B? Time will tell. Even if Justice Commissioner V?ra Jourová does not favour this option, there seems to be little to impede this route. The European Commission should first conduct firm negotiations with the U.S. to ensure that efficient mechanisms for enforcement, oversight, and transparency are put in place. Changes put forward during this review process must guarantee E.U. citizens high standards for data protection and privacy enshrined in the Charter of Fundamental Rights of the E.U.

2015 will be the year of Safe Harbor. We’ll have a legal judgment by the E.U. Court of Justice and (hopefully) a thorough review of the agreement by the European Commission. Access will closely monitor the situation and keep you constantly updated…stay tuned!

Contribution by Francesco Vinci