The US government says it will continue to administer the “Safe Harbour” program, a framework for transferring citizens’ data between Europe and the US — despite it being struck down by Europe’s top court earlier this month.
Any Safe Harbour self-certifications issued by the US Department of Commerce since the ruling will not hold any legal weight with European authorities — meaning American companies who choose to take this route are opening themselves up to legal challenges from national regulators.
The 2000 Safe Harbour decision was a way to unify Europe and America’s disparate regulatory regimes, and streamline the transfer of data on citizens between the two regions for companies. It meant that US companies could self-certify with the Department of Commerce, and not have to worry about differences in regulation in over 20 European countries.
But following revelations of US spying by whistleblower Edward Snowden, fears grew over adequate protections for Europeans’ data held in America under Safe Harbour. Austrian activist Max Schrems took Facebook to court, and the case ended up at the European Court of Justice (ECJ), which ruled last week that Safe Harbour was “invalid.”
“The existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities,” the court ruled.
The ruling throws the around 4,500 American companies that relied on Safe Harbour into confusion and legal jeopardy. Individual European countries can now set their own regulation for US companies’ handling of citizens’ data, vastly complicating the regulatory environment in Europe. Countries could even choose to totally suspend the transfer of data in the US — forcing companies to host user data exclusively within the country.
Of course, this hasn’t happened yet. (Although Russia passed a law requiring exactly that earlier this year.) There are also other ways that companies can use to legitimise the transfer of users’/customers’ data. These include getting the informed consent of the data subject, and using model clauses in contracts pre-approved by the European Union.
Continuing to rely on Safe Harbour alone will not give a company any legal protections. Despite this, the US government says (on Export.gov) that “in the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbour program, including processing submissions for self-certification to the Safe Harbour Framework.”
Dr. Susan Foster, a privacy lawyer at Mintz Levin, told Business Insider that “new Safe Harbour self-certifications won’t hold any weight with European Data Protection Authorities or courts.”
However, Foster says that “the FTC’s position that it will continue to administer the program and process submissions for self-certification makes some sense for two reasons.”
Firstly, “the FTC can continue to enforce Safe Harbour compliance for its own reasons … The FTC has an interest in light of US law in ensuring that companies that promise consumers that they will do certain things actually do them.” Secondly, negotiations between the US and the EU commission are already underway about a replacement for Safe Harbour. “Arguably, the FTC’s decision to continue enforcing/administering its current Safe Harbour program while those negotiations wrap helps demonstrate its commitment to ensuring the US companies who agree to abide by the EU’s data protection rules keep their promises.”
In short, it is a show of good faith, and will help ensure compliance with US law.
But it will not prevent American companies legitimise the transfer of EU citizens’ data from Europe, and protect them from legal action from regulators — ostensibly the purpose of Safe Harbour.
Speaking at a press conference in Strasbourg following the ruling, European Commission member Věra Journová said that Europe will be seeking a “coordinated response” between national regulators to ensure there is “legal framework” for American companies. The European Commission will be issuing guidance to national data protection authorities in the weeks ahead.
It was Facebook that Schrems’ initial case targeted, but the Californian social network says it is not directly impacted by the ruling, as it has alternative legal structures in place to legitimise the transfer of data. “This case is not about Facebook,” a spokesperson said in a statement.”What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows.”