EU desperately pushes just-as-dodgy safe harbour alternatives

Doesn't matter whether they're legal, just keep the data flowing!

30 Reg comments Got Tips?

Despite EU vice president Frans Timmermans' impressive efforts at spin yesterday, the European Commission finds itself in an awkward position today after the European Court of Justice struck down the safe harbour arrangement.

Safe harbour is the workaround agreement between the EU and the US that allows international companies to transfer EU citizens' personal data to the US even though the US does not meet the adequacy standards for EU data protection law.

In effect, US companies – around 4,400 in all – sign up to a voluntary code of conduct that is then enforced by the American Federal Trade Commission (FTC).

On Tuesday the European Court of Justice (ECJ) ruled that the safe harbour agreement was invalid, since in light of the Edward Snowden revelations about US surveillance, it doesn’t protect people's personal data from spies. Although the US claimed this was inaccurate, and big businesses complained that they couldn’t work without the safe harbour arrangement, the ruling wasn’t entirely a surprise.

Safe harbour has been dogged by controversy, so much so that the European Parliament called for it to be suspended. The commission refused, preferring instead to re-negotiate the terms. With the ECJ granting the European Parliament’s wish, Timmermans’ assertions that the ECJ ruling “supports” the commission’s position is dubious. “I see this as a confirmation of the commission’s approach for negotiations. In light of the ruling we will continue this work for transatlantic data,” he said.

The court ruling, however, said that national data protection authorities (DPAs) were obliged to investigate complaints regardless of the commission's position on safe harbour.

We're innocent, honest guv

In a two-hour technical briefing on Wednesday, Commish sources pointed out that the safe harbour arrangement was put in place before the introduction of the US Patriot Act and its attendant surveillance activities; the implication being that the Commish couldn’t have known about any spying. That cannot be said for the years since Snowden lifted the lid.

The Article 29 Working Party, made up of representatives of all the national DPAs, felt vindicated by the ruling.

“A29WP has been studying the impact of mass surveillance on international transfers and has on several occasions presented its concerns. Today’s judgment confirms that due to in particular the existence of mass surveillance and the absence of possibility for an individual to pursue legal remedies in order to have access and to obtain rectification or erasure, serious questions exist regarding the continuity of the level of data protection when data are transferred to the United States.”

Yet another party claiming the ECJ decision backed her position is former justice commissioner Viviane Reding, now an MEP: “Reform or Suspension, this was my position in 2013 when I put forward a complete overhaul of safe harbor, including 13 recommendations aimed at setting up a more solid framework and clearly delineating citizens’ rights, governments’ role and companies’ duties.”

“After two years of discussions, negotiations still stumble over national security on the American side. Although the rapid flow of information between the EU and the US depends on mutual trust, an agreement on these 13 recommendations would rebuild the confidence tarnished by the Snowden revelations,” added Reding.

Fellow MEP and head of the EU Parliament’s civil liberties committee, Claude Moraes, was also critical of the slow progress made in negotiations: “The Commission has been in negotiations with the US for over a year on improving the framework but we have still received no update on these discussions.”

“Both the message from the European Parliament and from the European Court of Justice have been clear: the safe harbour framework does not protect European citizens private data when being transferred to the US as the EU Charter and EU law require. Now the responsibility to remedy this solution is with the Commission. It must act without delay to fill this void,” he said.

And a void is exactly what most businesses fear. Enormous pressure is on the European Commission to come up with a solution.

“There were a lot of alarmist responses to this case,” said Max Schrems, the man responsible for bringing the case (against Facebook) to court. “But it is clear from the judgement [that it] applies to a limited set of situations, such as outsourcing of EU data processing operations to US providers. The court could have allowed for a transitional period, to allow a smoother implementation even in these limited cases, but did not chose this option. The average consumer will not see any restrictions in daily use. There are still a number of alternative options to transfer data from the EU to the US,” he added.


Keep Reading

Stop asking for Amazon, Google and Microsoft cloud with 'no justification': US Library of Congress told to drop its 'brand-name'-tastic RFP

Oracle wins protest after agency failed to get it kicked out for not being a reseller

Google slings websites into Chrome's solitary confinement on Android to thwart Spectre-style data snooping

Ignore the overhead, enjoy Site Isolation – a defense against side-channel attacks

Dell publishes data centre cleaning guidance, suggests hiring pros to disinfect enterprise kit

Urges ‘extreme caution’ if you DIY and reminds you ‘Never spray any liquids directly onto or into any product’

Snowden was right: US court deems NSA bulk phone-call snooping illegal, possibly unconstitutional, and probably pointless anyway

Privacy campaigners cheer ruling 7 years in the making

Breaking bad... browser use: New Mexico accuses Google of illegally slurping kids' private data via G Suite

Web giant hits back, says allegations are 'factually wrong'

Android user chucks potential $10bn+ sueball at Google over 'spying', 'harvesting data'... this time to build supposed rival to TikTok called 'Shorts'

These are the class-action-suit-joining 'droids lawyers are looking for. (We'll get our coats) admits it has not performed legally required data protection checks for COVID-19 tracing system

No evidence of data being used unlawfully, says health department

Dell cuts jobs again... which in Dell-speak is 'addressing cost structure to make sure we’re competitive'

HCI hit, security slugged, UXers axed, solutions peeps’ jobs dissolved

Biting the hand that feeds IT © 1998–2020