Privacy Enhancing Ruling
On 6 October 2015, the European Court of Justice (ECJ) invalidated the EU-US Safe Harbor Agreement. The court’s ruling is a new chapter in a series of Privacy Enhancing Rulings of regulators and courts worldwide, thereby enhancing citizens’ privacy worldwide.
What is Safe Harbor?
The US-EU & US-Swiss Safe Harbor frameworks provided a legal basis for transferring personal data to and from the US. Both EU and Swiss legislation stipulate that the transfer of personal data is only allowed with countries that offer an adequate level of protection. While the US level of protection is not considered to be adequate, the safe harbor framework nevertheless enabled an exchange of personal data between Swiss and EU companies with US organizations, provided the US organization is (self)certified with the seven safe-harbor principles (i.e. notice, choice, onward transfer, access, security, data integrity, enforcement).
Safe Harbor for Swiss data
Similar to the EU, the Swiss privacy regulator (FDPIC) acknowledged the safe harbor scheme as legal grounds for personal data transfers to the US. In essence, the US-Swiss Safe Harbor framework is equivalent to the US-EU framework. More than 3000 companies in Switzerland currently make use of this scheme for their data transfers with the US.
Safe Harbor was always under fire
Since its inception, the safe harbor agreement has been under fire by privacy scholars and experts. The criticism focused on the fact that the safe harbor agreement relies on a self-certification scheme that is not independently monitored. This means that there was always a risk that organizations did not implement their personal data management adequately – possibly without even knowing it – thus offering insufficient privacy protection.
Safe Harbor no longer safe
One of the ECJ’s key arguments for invalidating the safe-harbor agreement was that US’ public authorities have access to the content of electronic communications on a generalized basis (think NSA’s PRISM). The ECJ argued that this compromises the essence of the fundamental right to respect for private life.
Hence, interestingly enough, the reason to invalidate safe harbor does not have to do with the shortcomings of the framework, but with overall privacy shortcomings of the country to which it applies (i.e. the USA). Therefore, logical conclusion would have it that the ultimate solution would be to suspend all transfers of personal data to the US. However, that solution is not a very practical one.
Where to dock now?
This leaves us to ponder other possible solutions. From a legal perspective, there are other legal grounds available in order to lawfully transfer data with the USA, such as:
- The standard contractual clauses of the European Union
- The Council of Europe’s model contract for safeguarding an appropriate level of data protection in transborder data transfers
- The FDPIC’s model contract for the transborder outsourcing of data processing
Rather than discussing the content of these options, I would like to emphasize the fact that they are merely other legal grounds. None of these options will limit the US authorities’ possibilities to access citizens’ personal data. Therefore, there is a risk that these options are only acceptable for the time being. we could very well imagine that in a new ECJ or Swiss court proceeding, these other options will be invalidated as well, as they do not offer a solution for the underlying problem, i.e. that of the authorities having access to our personal data!
Of course, having proper legal grounds for data transfers is important. Notwithstanding, instead of focusing on the legal aspects of the data transfer, organizations should concentrate on the protection of personal data. The goal should be to transfer personal data only if and when it can be ensured that the data is adequately secured and will not fall into the ‘wrong’ hands. Correct use of Privacy Enhancing Technologies (including encryption, data minimization, data masking, etc.) and privacy controls is vital for this. State-of-the-art IT security techniques in combination with proper implementation of privacy principles should be the norm for every organization doing business in Switzerland and / or the EU. Only by implementing such principles properly, will organizations be able to avoid the negative consequences of the next big Privacy Enhancing Ruling.