By Keith Barnes
The European Court of Justice struck down on October 6 an agreement between the United States and the European Commission known as Safe Harbor, which allows companies to “self-certify” that they meet the data protection standards outlined in the 1995 European Data Protection Directive 95/46.
This landmark directive forbids any transfer of personal data to a server located outside the European Economic Area (EEA)–which includes the European Union, Norway, Liechtenstein, and Iceland–unless the receiving country has an “adequate level of data protection.”
The ECJ ruled that Safe Harbor did not sufficiently protect European citizens’ right to privacy, due to the exposure of the National Security Agency’s spying activities by individuals such as former NSA contractor Edward Snowden.
Without the protection of Safe Harbour, companies will now be forced to rely on individual “model contract clauses,” with which the European Commission deems a contract concerning the transfer of personal data sufficiently protected, according to lawyers Martin Braun and Christian Duvernoy.
The ruling has created a firestorm within the tech industry, with Silicon Valley companies such as Google, Facebook, and Apple racing to maintain operations without impeding service, according to the Guardian.
Although European Commission First Vice President Frans Timmermans has stated that the free movement of data will continue unimpeded, as the Commission can still use the “model contract clauses” on a case-by-case basis, companies have called for a longer-term solution.
In the United States, the question has arisen about the effect of the ruling on American data privacy rights. According to the International Business Times, the first step would be to “reform Section 702 of the Foreign Intelligence Surveillance Amendments Act, which justifies the mass collection of phone calls, emails, Facebook messages, Internet browsing history and other information–often without a warrant.”
This could be a long way off while government spying programs are still considered integral to counterterrorism efforts. The International Business Times suggests that Congress could pass the Consumer Privacy Bill of Rights unveiled by President Obama in 2012 as a “blueprint” for how to improve U.S. data privacy. Said bill details provisions such as controls by individuals over their information and the ability to set limits, barriers, and safeguards on the type of data collected.
Many of the companies that will be affected by this ruling have already established backup data centres within Europe to “avoid clashes with regulators,” according to the Wall Street Journal. These include Google’s centers in Belgium and Finland, and Facebook’s in Ireland.
Other companies such as Amazon are relying on the model contracts to continue providing service. Still others have begun shifting their data centers to Switzerland to take advantage of Swiss privacy laws. Such centers are easily considered adequate by the European Union, according to Les Echos, a French business daily.
The ruling does not explicitly end communications for companies without model contracts, but simply puts judicial oversight in the hands of national regulators. These regulators can now investigate contracts and practices of individual companies and “suspend them if they don’t provide sufficient protections,” the Wall Street Journal reports.
This will certainly create an uncomfortable legal burden for the European operations of certain corporations and, with no end in sight for Europe’s political impasse, will remain unresolved for the foreseeable future. With David Cameron’s goose-stepping over Britain’s EU referendum, Angela Merkel’s refugee conundrum, and Francois Hollande’s numerous domestic policy failures, who knows if European heads of state will ever place data regulation on their respective to do lists?