Un(safe) harbor?

The judgement of the Court of Justice of 6 October 2015 (case No C-362/14) on the “Safe Harbor ” program still resounds. We provided the background for this case earlier on our blog when the Court initiated the procedure.The Safe Harbor program was developed between the US Trade Department and the European Commission to enable certified American enterprises to freely process the personal data of EU citizens, without the need to fulfil additional excessive formalities of national data protection supervising authorities (e.g., GIODO in Poland).

Two weeks ago, the Court of Justice of the EU gave careful consideration to the above mentioned program and annulled the European Commission’s decision based on which the Safe Harbor program was applied. The Court indicated that the existence of a decision which states a given country guarantees a certain degree of protection of the transferred personal data cannot, in any way, limit the powers of national supervising authorities. This is because the obligation of data protection authorities is to check whether personal data transferring to a third country complies with the regulations of Directive 95/46/EC. It was also emphasised the program was applicable only to American entrepreneurs, not public US authorities, which, within the limits of their jurisdiction, enjoy de facto unlimited possibility to interfere with the personal data of the European Economic Area’s residents.

What are the practical consequences of this precedent-setting judgement? First, the Court of Justice confirmed the right of national data protection authorities (e,g., GIODO) to control all entities that transfer personal data from the EEA to American entrepreneurs. If an infringement is found, such transfer may be withheld.

A substantial, if not most important, aspect of the case is the loss of a provision legalising the transfer of personal data by the entities which have joined the Safe Harbor program, including such corporations as Facebook, Google or Coca-Cola (full list of participants). As a consequence, the said enterprises will have to find new grounds that will enable them to process massive amounts of personal data in a manner compliant with the law. Otherwise, these enterprises’ functions within the EEA may be paralysed.

How then will American companies be allowed to process personal data coming from the EEA? How should European entrepreneurs protect themselves against charges of improper data processing when cooperating with such companies? Should European entrepreneurs stop transferring personal data to the USA? What will happen to existing data outsourcing agreements? What are the responsibilities and consequences for data processing and transfers in the interim between the Court’s decision and for new solutions to be implemented? The judgement raises more questions than answers.A few solutions exist allowing for the legal transfer of data to the USA.

First, it is possible to apply standard contractual clauses (SCC), based on which an agreement can be concluded between an entity that has its registered office in the USA and a company which has its registered office in the EEA. These clauses have been approved by the European Commission as per Directive 95/46/EC. Such a solution was applied by Microsoft, which in 2011, for their services related to cloud computing, used standard contractual clauses as a prerequisite for legalising the transfer of personal data outside the EEA. Thanks to applying standard contractual clauses and as a result of not being a participant of the Safe Harbor program, which is now invalid, this global software market giant can still process and receive personal data from Europe.

The second option is binding corporate rules (BCR), which usually apply to the exchange of personal data within international corporations. It should, however, be remembered that these rules have to be approved by GIODO, since Poland (like some other countries) has not joined the mutual recognition arrangements, which would exclude the obligation of GIODO’s approval of binding corporate rules, in the case another data protection authority within the EEA had already done so. Based on an administrative decision, the Data Protection Commissioner approves binding corporate rules, applied by a group of entrepreneurs, for the purpose of transferring personal data to a data controller or another entity which belongs to the same group and which has been entrusted with the data.

The third solution is obtaining GIODO’s consent, issued on the basis of an administrative decision, provided the data controller ensures an adequate level of protection of privacy, rights and freedom of the data subject.

Another solution is for the data controller to obtain consent for the transfer of personal data from the individual. Such consent should be given in writing, which may generate some problems and is a rather impractical solution due to the amount of data transferred over the ocean. The Personal Protection Act also provides for other possibilities, e.g., it allows for the transfer of personal data outside the EEA, if such transfer is necessary for the execution of an agreement between the data controller and the data subject or if it is undertaken at the data subject’s request.

The first two potential solutions have also been referred to by the Article 29 Data Protection Working Party in a special statement. The Party called on the Member States’ governments and EU institutions to undertake negotiations with US authorities as soon as possible in order to develop coherent solutions for the processing of personal data of EEA citizens, while respecting their fundamental rights. It should, however, be noted such negotiations have been conducted since 2014 and are a consequence of the leakage of information on surveillance procedures of the National Security Agency (NSA). In practice, the updated Safe Harbor program was supposed to limit the options of using personal data of EEA citizens by American intelligence services. It is hoped the judgement will intensify the activities aiming at developing common and safe solutions.The issue of (un)safe harbor is pressing and causes significant implications for personal data processing by global giants. A natural consequence of the judgement is the necessity to obtain, relatively soon, additional permission for data processing from the users of Facebook and similar portals, as well as the need for such enterprises to revise their data processing policies.

As for European entrepreneurs, they will have to verify their existing agreements concluded with American companies to whom data was transferred (e.g., agreements providing for data processing on servers that are on the US territory). Most probably most of them will have to be annexed or drafted anew.

Last but not least, the judgement of the Court of Justice applies only to the decision on Safe Harbor and does not extend to similar decisions of the European Commission concerning such countries as Switzerland or Israel.

Interestingly, the analysis of the views within the legal environment shows significant discrepancies concerning both the assessment of the judgement itself and the philosophical attitude to privacy protection and personal data protection across the Atlantic. The views of American lawyers, the majority of whom recognise the threats and obstructions for the operation of global American corporations, differ substantially from the views of their European counterparts, who seem to emphasise the primacy of privacy. Such differing perceptions seem to be natural, given the origin of the Internet and technological giants, as well as the American understanding of the freedom of speech. On the other hand, this clearly shows how the legal environment influences the development of the big data industry.

We hope that the judgement will contribute to personal data protection being true, not apparent protection. Notwithstanding the above, the judgement should not contribute to the introduction of additional significant difficulties to business operations of the entities cooperating on global markets.