Despite EU vice president Frans Timmermans' impressive efforts at spin yesterday, the European Commission finds itself in an awkward position today after the European Court of Justice struck down the safe harbour arrangement.
Safe harbour is the workaround agreement between the EU and the US that allows international companies to transfer EU citizens' personal data to the US even though the US does not meet the adequacy standards for EU data protection law.
In effect, US companies – around 4,400 in all – sign up to a voluntary code of conduct that is then enforced by the American Federal Trade Commission (FTC).
On Tuesday the European Court of Justice (ECJ) ruled that the safe harbour agreement was invalid, since in light of the Edward Snowden revelations about US surveillance, it doesn’t protect people's personal data from spies. Although the US claimed this was inaccurate, and big businesses complained that they couldn’t work without the safe harbour arrangement, the ruling wasn’t entirely a surprise.
Safe harbour has been dogged by controversy, so much so that the European Parliament called for it to be suspended. The commission refused, preferring instead to re-negotiate the terms. With the ECJ granting the European Parliament’s wish, Timmermans’ assertions that the ECJ ruling “supports” the commission’s position is dubious. “I see this as a confirmation of the commission’s approach for negotiations. In light of the ruling we will continue this work for transatlantic data,” he said.
The court ruling, however, said that national data protection authorities (DPAs) were obliged to investigate complaints regardless of the commission's position on safe harbour.
We're innocent, honest guv
In a two-hour technical briefing on Wednesday, Commish sources pointed out that the safe harbour arrangement was put in place before the introduction of the US Patriot Act and its attendant surveillance activities; the implication being that the Commish couldn’t have known about any spying. That cannot be said for the years since Snowden lifted the lid.
The Article 29 Working Party, made up of representatives of all the national DPAs, felt vindicated by the ruling.
“A29WP has been studying the impact of mass surveillance on international transfers and has on several occasions presented its concerns. Today’s judgment confirms that due to in particular the existence of mass surveillance and the absence of possibility for an individual to pursue legal remedies in order to have access and to obtain rectification or erasure, serious questions exist regarding the continuity of the level of data protection when data are transferred to the United States.”
Yet another party claiming the ECJ decision backed her position is former justice commissioner Viviane Reding, now an MEP: “Reform or Suspension, this was my position in 2013 when I put forward a complete overhaul of safe harbor, including 13 recommendations aimed at setting up a more solid framework and clearly delineating citizens’ rights, governments’ role and companies’ duties.”
“After two years of discussions, negotiations still stumble over national security on the American side. Although the rapid flow of information between the EU and the US depends on mutual trust, an agreement on these 13 recommendations would rebuild the confidence tarnished by the Snowden revelations,” added Reding.
Fellow MEP and head of the EU Parliament’s civil liberties committee, Claude Moraes, was also critical of the slow progress made in negotiations: “The Commission has been in negotiations with the US for over a year on improving the framework but we have still received no update on these discussions.”
“Both the message from the European Parliament and from the European Court of Justice have been clear: the safe harbour framework does not protect European citizens private data when being transferred to the US as the EU Charter and EU law require. Now the responsibility to remedy this solution is with the Commission. It must act without delay to fill this void,” he said.
And a void is exactly what most businesses fear. Enormous pressure is on the European Commission to come up with a solution.
“There were a lot of alarmist responses to this case,” said Max Schrems, the man responsible for bringing the case (against Facebook) to court. “But it is clear from the judgement [that it] applies to a limited set of situations, such as outsourcing of EU data processing operations to US providers. The court could have allowed for a transitional period, to allow a smoother implementation even in these limited cases, but did not chose this option. The average consumer will not see any restrictions in daily use. There are still a number of alternative options to transfer data from the EU to the US,” he added.