Privacy protection in the US insufficient – More safeguards for EU data required

By Faryad On Oct 10, 2015

Spread the love

You type a message on Facebook, send an email via Gmail or send out a tweet via Twitter. Or maybe you use Office 365 through your work, share your files via Dropbox or use CRM applications via Salesforce. In all these cases there is a flow of data to American companies and that was quite obvious until today, but not anymore.

In order to be allowed to process data of European citizens, a company must comply with a number of guarantees drawn up by the European Commission . The processing must, among other things, be necessary, may not take longer than necessary and requires permission. If foreign companies comply with those rules, they are in principle also allowed to receive the data of EU citizens , and for US companies this permission has so far been facilitated by means of the Safe Harbor principles.

In 2000, the European Commission designated the US with decision 2000/520/EC as a country for which there is sufficient guarantee that data is adequately protected. There are now more than five thousand American companies on the list of companies that meet the Safe Harbor conditions, although the permission has expired in many cases.

Exit Safe Harbour

On Tuesday, however, the European Court of Justice drew a line through the current rules for consent to data processing by American companies, in the Facebook/Schrems case . The companies may offer sufficient protection of the data, government agencies in the US can simply access it. The European Court of Justice refers indirectly to the NSA. In the US, according to the Court, it is simply the case that in the context of national security and investigation it is possible to deviate ‘without restriction’ from the Safe Harbor protection measures, with the interference of the fundamental rights of European citizens. The European Commission did not take this into account in its decision of 2000 and is therefore immediately invalid.

What does that mean in practice?

It is no longer allowed for data to be transferred to the US under Safe Harbor. According to Ot van Daalen, lawyer in the field of digital rights at Project Moore Advocaten, this is a judgment with far-reaching consequences. “Companies will have to look for alternatives.” According to him, these alternatives exist in the form of model contracts, which companies such as Facebook, Google and Microsoft, but also smaller companies, must conclude individually with European companies.

According to Van Daalen, however, American companies have not been keen on this so far. “The negotiations take a long time, the rules are stricter than those of the Safe Harbor – including with regard to security – and, moreover, supervisors can easily stop them if they decide that an infringement goes too far.”

The role of the supervisors has increased enormously due to the current ruling. Citizens can turn to them if they think that American companies do not sufficiently protect their data and those objections can no longer be brushed aside with a reference to Safe Harbour. The watchdogs can actually suspend the data transfer.

According to Van Daalen, the individual contracts are the best alternative for American companies for the time being, until politicians come up with a new Safe Harbor arrangement, on the basis of which privacy is sufficiently guaranteed.

Turn on politics

That new regulation is already in the making, but is much too late, says D66 MEP Sophie in ‘t Veld. “Because the Commission has stuck its head in the sand all these years, European companies are now in trouble. The Commission must adjust Safe Harbor as quickly as possible, within the Court’s ruling and requirements,” said In ‘t Veld. The reform of data protection rules was already announced in 2012 , but negotiations with the US are still ongoing.

The European Commission declares that it sees the ruling as confirmation that it is taking the right approach with the reforms that have been initiated. The committee states that there are enough other ‘mechanisms’ to maintain the transatlantic flow of data, referring to the model contracts. Furthermore, the privacy authorities in the member states would receive guidelines on how to deal with requests for data provision.

It is clear that the European Commission must enforce much stronger agreements in negotiations with the US to protect the privacy of European citizens, says Daphne van der Kroft of digital civil rights organization Bits of Freedom.

‘Good day for privacy’

“Today, the European Court of Justice has made it very clear that privacy protection should not be limited to fine words, but must actually be observed. The European Commission must ensure this. It is a good day for privacy,” says Van der Kroft. She says the ruling has also put Facebook in a difficult position. “In fact, it has been said that they cannot provide adequate protection.”

Facebook itself sees it very differently. “This case is not about Facebook. The Advocate General of the CJEU has himself stated that Facebook has done nothing wrong,” a spokesperson said. “It is now time for the US and EU governments to ensure that reliable methods of transferring data lawfully remain and that they resolve national security issues.”

The next case

At the root of the current problem is the fact that your data does not end up at data centers under European protection, but at data centers under the American flag. US secret services are also allowed to access data in data centers on European territory on the basis of the Patriot Act, as long as they belong to US companies.

The extent to which the US is allowed to access data stored in the EU depends in part on the outcome of a case between Microsoft and the US judiciary. US judges ruled that Microsoft had to hand over emails stored in a data center in Ireland. The request was part of a criminal investigation by the US Attorney’s Office. A decision in this case could take until February.

Whatever that ruling is, the privacy of European citizens is higher on the agenda than it has been for a long time and it is up to the European Commission and the regulators to set and enforce new rules for protection.