Tuesday, October 6, 2015

EU's Highest Court Invalidates EU-US Safe Harbor

Once again Europe challenges US privacy laws.  Today, the Court of Justice of the European Union invalidated a EU-US pact that allowed for easy data transfers from the EU into the US.  The decision will put more pressure on the US to tighten up its privacy laws. Privacy is a basic human right in the EU while most US states are still struggling to prohibit employers and schools from demanding passwords to employees'/students' social media accounts.  In light of this latest Court decision, American companies such as Facebook and Google will have to restructure how they collect, use and store personal data collected from Europe.

Austrian graduate student brought that lawsuit. It alleged that the Europeans’ personal data is unsafe in the US because the law of that country inadequately protects it and the US Gov’t likes to spy on people’s personal information.  In particular mass surveillance under NSA’s PRISM program raised serious concerns.  U.S. intelligence services were able to access people’s personal information in the databases of Facebook and other tech giants. The lawsuit claims mass surveillance by US authorities violates Europeans’ fundamental rights.

So, the Court of Justice of the European Union ruled that the EU-US Safe Harbor agreement on the transfer of personal data is invalid. The Safe Harbor agreement had been in place since 2000. What was the agreement for?

EU law requires that companies exporting European citizens' personal data can only do that to countries providing a similar level of legal protection for that data. The Safe Harbor was the agreement that certified that the US provided adequate protection. It was, thus, easy for thousands of US companies to transfer data from the EU to US. All they had to do was to self-certify that they comply with the acceptable privacy principles. More than 5,000 US companies took advantage of the convenient Safe Harbor arrangement to facilitate data transfers.

But now that the Safe Harbor is invalid, Europeans’ personal data can no longer be transferred to US businesses solely on the basis of the Safe Harbor certification. Instead, to authorize data transfer, the parties have to rely on other methods such as the "model contract clauses", which set out the US business’s privacy practices and obligations. That would, of course, be inconvenient and will create lots more administrative work for the US companies.

The decision will put more pressure on the US to tighten up its privacy laws. The US and EU have been negotiating to update the Safe Harbor agreement for almost two years already but it’s still unclear whether the parties are close to concluding the deal.