The Court of Justice of the European Union will rule Tuesday on the validity of the U.S.-European Union “Safe Harbor” deal covering how Europeans’ personal data can be transferred across the Atlantic by Internet giants like Google and Facebook. Many people are betting the court will throw out the deal and in the long run that could be good for privacy on both sides of the Atlantic.
European privacy protection law is generally stricter than in the United States and European personal data could not have been processed in the United States unless a deal was cut. And, so it was 15 years ago. We didn’t enact the same strict privacy laws as Europe, but companies wanting to bring European personal data across the pond could if they “voluntarily” agreed to honor certain data protection principles and were then granted “safe harbor” to use the European data. According to Wikipedia those principles are:
• Notice – Individuals must be informed that their data is being collected and about how it will be used.
• Choice – Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.
• Onward Transfer – Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
• Security – Reasonable efforts must be made to prevent loss of collected information.
• Data Integrity – Data must be relevant and reliable for the purpose it was collected for.
• Access – Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
• Enforcement – There must be effective means of enforcing these rules.
As part of the Safe Harbor agreement a company had to self-certify that it was following those principles every 12 months. The problem is that nobody really bothers to check if the companies are doing what they claim to be doing. Many — if not most — don’t really do what they claim. There are about 3,000 U.S. companies claiming safe harbor.
Prompting Tuesday’s ruling is a case brought in Ireland by Max Schrems, who argued that of because of the NSA spying, the data he provided to Facebook that was transferred from the company's Irish subsidiary to the United States under the Safe Harbor deal was not, in fact, adequately protected. The Irish Court first took the case because because Facebook’s European operation is headquartered in Ireland. The case was then appealed to the European Court of Justice.
What’s got Google, Facebook and the other tech companies worried is a preliminary decision from Court of Justice of the European Union Advocate General Yves Bot. His opinion says that the Safe Harbor deal does not satisfy the EU's Data Protection Directive as a result of the "mass, indiscriminate surveillance" carried out by the NSA.
The CJEU doesn’t have to follow the advocate general’s advice, but it generally does. Ironically, one recent exception was the so-called Right To Be Forgotten, which allows people to request removal of search engine links to information that is “inadequate, irrelevant, no longer relevant, or excessive.” The advocate general advised there was no such right; the court disagreed and upheld it.
In the Safe Harbor case, however, many expect Bot’s opinion to prevail, particularly because the court announced so quickly after his opinion that it would issue its final ruling.
If the current Safe Harbor framework is overturned, I think a new agreement will be negotiated that will provide more adequate protections and better verification that the new agreement’s terms are being met. Those new measures are likely to spill over and help protect data privacy rights on this side of the Atlantic, as well.