Safe Harbor is No More: What Comes Next?

Max Schrems is an Austrian privacy activists whose lawsuit against Facebook’s European arm led to a groundbreaking judicial decision. As a result of Schrem’s case, which alleged that his personal, private data was mishandled, the European Court of Justice struck down the Safe Harbor pact in October.

Enacted in 2000, the pact, formally called the Safe Harbour Privacy Principles, was a list of seven principles that certain U.S. companies were required to self-certify, in which case they would be in compliance with privacy laws regarding European Union and Swiss citizens. With the Safe Harbor pact found invalid, U.S. and European authorities have been working to strike a new agreement and a workable framework to replace it.

And though that process was supposed to begin immediately, as yet, there is nothing in place. No privacy shield, no agreement – and according to an article this week in the International Business Times (“No One Knows What Will Replace Safe Harbor, But Max Schrems Says It Won’t Be ‘Privacy Shield’”), U.S. operators are essentially doing business without a safety net in regards to liability and privacy protections:

Earlier this month U.S. and EU officials sought to ease corporate uncertainty when they announced they've constructed the framework for a new agreement intended to satisfy privacy advocates and companies that rely on international data transfers. Under the Privacy Shield terms, a U.S. ombudsman will be appointed to handle European data complaints, though it's not clear how much power that position will hold.

There has also been no mention of a date of implementation, how long the EU approval process would take, whether that process would indeed result in approval, or other key details.

Back in November, immediately following the court ruling that invalidated Safe Harbor, the European Commission urged the swift adoption of a new standard. In an aptly titled news release, “Commission issues guidance on transatlantic data transfers and urges the swift establishment of a new framework following the ruling in the Schrems case,” the Commission acknowledged the overriding need for privacy protections of all citizens urged a legal framework that provided the needed measures of support.

In its news release, the European Commission stressed certain points, including the following:

  • the Safe Harbour arrangement can no longer serve as a legal basis for transfers of personal data to the U.S.;
  • the Commission will continue and finalise negotiations for a renewed and sound framework for transatlantic transfers of personal data, which must meet the requirements identified in the Court ruling, notably as regards limitations and safeguards on access to personal data by U.S. public authorities;
  • other adequacy decisions will need to be amended, to ensure that Data Protection Authorities (DPAs) remain free to investigate complaints by individuals.

What does all this mean? For data protection and privacy specialists, it means we are still in uncharted waters, in terms of personal privacy protections in European, and it there are serious legal questions confronting U.S.-based corporations that conduct business in this arena.

The best policy in the interim would be for security personnel to be vigilant in requiring that all highest standards of data protection are strictly followed. First, it will be critical if any liability should occur, whether from past issues or to head off any compromises that can lead to litigation. Second, it will be the best proactive approach to shaping their companies’ data protection policy in a way that anticipates a new agreement, whatever form it might take. And what that might be is still a mystery.

Perhaps Schrem summed it up best:

“The Privacy Shield simply does not exist right now, so we don't know what it is,” Schrems said Monday, adding that Europe and the U.S. remain deeply divided over mass surveillance, self-certification and other issues that could contribute to a long period of negotiation.

“I don't think anyone knows how to really solve this issue, and I don't have the final answer either,” Schrems said. “I think of privacy as the right of informational self-determination, and I want to be in control of what's available about me. But so much data is what other people are saying about you, and the data your devices are generating about you. To regain this power is what data protection laws are meant to do, and hopefully will soon.”