The Safe Harbor vacuum: the legal certainty promised by the EC for end of January is still pending; thereby the future of transatlantic data transfers still remains unclear. Does the politics really leave the IT industry in the lurch?
In the European Community the handling of individual-related data is regulated by the Directive 95/46/EC, which is deemed as one of the safest data protection standards in the world. It prohibits the transfer of individual-related data from the EC to countries without a comparable level of protection. Since the US law has no equivalent regulations, Safe Harbor was developed from 1998 to 2000 as a procedure where companies can register at a site of the US Department of Commerce and thereby declare to comply with the Safe Harbor privacy principles. In July 2000 the EC decided that this declaration ensures a sufficient protection of the EC citizen’s personal data.
14 months after this the threat level changed dramatically by the events of 9/11 and the US security authorities have been authorized to comprehensive accesses to any type of data – legitimized by the Patriot Act. However, as the practice of excessive data accesses by the US authorities have not changed even 14 years later and the Patriot Act has been followed by the USA Freedom Act, the European Court cancelled the acceptance of Safe Harbor as a sufficient level of privacy protection. As incredible as the 14 years lasting exceptional state of the USA is the sudden realization of the EC after exactly these 14 years that processing the data of EC citizens in the USA is no longer safe. As a consequence, from one day to the next the IT industry and with it the travel industry were thrown into crisis, because many business models which have been legal so far suddenly violated European law. For these companies it was only a cold comfort that the national data protection authorities of the EC granted a changeover period until end of January 2016.
Missing legal certainty
If a company has not installed its data center on a container ship its migration from one continent to another is not an easy undertaking. The standard contractual clauses of the EC are regarded as a first-aid measure, but also with it the legal position is not fully clarified. While until a decision the European data protection authorities do not issue any binding information, the national regulatory authorities can well take actions and prohibit data transfers to the US in cases of complaints.
A change of the US’ practice, i.e. restrictions and controls of the security authorities, can hardly be expected now – especially against the background of the current US election campaign. Nevertheless, the USA are not the only problem – the problem is on both sides of the Atlantic: For 14 years European politicians legitimized an abuse, then reacted with an ad hoc decision and now they are not able to create legal certainty.
How safe are foreign harbors?
Certainly every government authorizes the access of their security authorities to individual-related data in issues of national security, even Directive 95/46/EC, where it is explicitly permitted by article 3 (2). Europe is different from other countries through the influence of its national data security authorities and effective control mechanisms. The excessive use of data legitimized by the USA Freedom Act has been extensively treated by the media and perceived by many people. However, we should expect that many other countries are also struggling with the limitation and control of their security authorities.
First-aid measures for IT companies
In these days of insufficient legal certainty it can be recommended for companies processing personal data of EC citizens in the US, to be extremely careful and additionally to using the EC standard contractual clauses comply with international security standards, encrypt critical data and obtain the permission of the related individuals (owner of the processed respectively transferred data). Furthermore, they should be ready to leave their location in the US short-termed in case of an according decision by the European Commission. If the decision comes some day…
How do you see the future of processing profiles of EC travelers in non-European data centers?
Picture credit: Shutterstock