It is impossible to avoid the frenzy that has been kicked up by the European Court of Justice’s (ECJ) decision of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner.
What is/was the Safe Harbour?
Like Australia, the Member States of European Union (EU) are subject to strict data protection regulations. Generally speaking, personal data cannot be transferred out of a Member State unless the destination country has adequate protection for the data in question. Over a decade ago, the United States of America (US) and European Commission entered into the ‘Safe Harbour Agreement’ which meant that data could be shared where both companies comply with the Safe Habour Agreement.
All was well and good and many big businesses (including Amazon and Google) relied on the enforceability and protection of the Safe Harbour Agreement.
So what happened?
Edward Snowden let the cat out of the bag when he revealed that the National Security Agency (NSA) was carrying out widespread surveillance of digital communications (including EU-residents’ personal data). One of the many consequences of this was that an Austrian law student called Maximillian Schrems complained that his Facebook data should not be sent by Facebook’s Irish Subsidiary to servers in the US for processing. He argued that the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country. This may be somewhat of an understatement; as the German Chancellor Angela Merkel put it when it came out that the she had been spied on, ‘spying among friends’ was ‘unacceptable’.
On 23 September 2015 Advocate General Bot release a non-binding but very influential opinion re-stating the findings of earlier courts that ‘the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection’. AG Bot went on to say ‘the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data’.
The writing was on the wall, but it took until 6 October 2015 for the ECJ to reach its decision. In summary:
‘The United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security. Also, the Commission noted that the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.’
The ECJ found that the US surveillance compromised the essence of the EU fundamental rights to respect for private life and effective judicial protection.
What does this actually mean?
A quirk of the European Economic Area (EEA) legal system is that the ECJ does not decide the dispute itself. It is for the national court or tribunal to deal with the case in accordance with the ECJ’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised. That said, it is pretty clear that the Safe Harbour Agreement is history.
One of the most likely consequences is that the EU and US will reach a new, stricter agreement in the near future.
Does this actually matter… my business is in Australia?
Australian companies that are responsible for the transfer of EU citizens’ personal data to the US will be impacted by this decision if either party relies on the Safe Harbour Agreement.
There is no immediate impact for Australian businesses who are not seeking to rely on the Safe Harbour Agreement to transfer personal data between EU and US operations. However, privacy and data retention remain topical issues, with mandatory data retention legislation recently passed for telecommunications carriers, and proposed mandatory data breach legislation still expected this year.
What should we be doing?
For starters, no new agreements should be entered into that provide that the parties may rely on the Safe Harbour Agreement as sufficiency of adequate protection of data sent from the EU to US.
If, in existing arrangements, either party relies on the Safe Harbour Agreement as adequate protection then this approach needs to be urgently reconsidered. The alternatives include agreeing a different way to share data with US entities such as model clauses approved by the relevant authorities (although query whether there is actually any way to contractually prevent the NSA from intercepting data), getting data subjects’ permission to the export of their data or ceasing to export the data to the US.