Will a new transatlantic deal between the EU and the US relating to the transfer of personal data usher in a new era of increased data privacy, Antonio Ghio asks.

It appears that the Snowden revelations are still resounding in Europe especially in relation to the mechanisms with which European companies justified the transmission of personal data outside of European borders, especially the US.

A recent landmark preliminary ruling by the European Court of Justice held that the EU-US Safe Harbour principles introduced almost 15 years ago are invalid as they do not offer sufficient privacy protection.

EU privacy laws essentially forbid the transfer of personal data outside of the EU unless the receiving state has an ‘adequate’ level of protection. The EU-US Safe Harbour agreement enabled companies requiring to transmit personal data from Europe to the US to fast-track their compliance with European privacy laws and legitimise the transfer of personal data outside of the EU without the requirement of consent from the data subject.

Under current rules, now held invalid by the European Court of Justice, US companies storing personal data relating to EU citizens could carry out a self-certification process in order to confirm their compliance with basic EU data privacy principles as emanating from the EU Data Protection Directive.

This scheme was the basis by which various American companies like Google and Facebook could send personal data from the EU to the US and this in light of the fact that such companies normally manage their European and non-US operations from Ireland due to tax reasons. This however makes them subject to European data protection laws and the EU-US Safe Harbour agreement enabled them to transfer personal data to their mother companies in the US with relative ease.

However, everything changed when an Austrian student, Max Schrems, complained with the Irish Data Protection Authorities that the transmission by Facebook’s European subsidiary of his personal data from his Facebook account for processing on Facebook’s US servers did not fully respect the data privacy obligations contained under European Law. The Irish Data Protection Commissioner responded that since the transfer to personal data was being legitimised under the Safe Harbour agreement, the Commissioner was not bound and did not have the authority to look into each and every transfer.

Schrems appealed in front of the Irish Court of Appeal which in turn requested a preliminary ruling from the European Court of Justice. Only last month, the decision of the European Court of Justice stipulated that indeed it was the obligation of national data protection authorities to ensure that the adequate level of safeguards existed prior to the transferring of personal data from Europe to the US.

Essentially, this means that national authorities cannot simply rely on the self-certification provided by the American companies and with which the cross-Atlantic data transfers were being legitimised. In its decision, the European Court of Justice held that national supervisory authorities, when dealing with a claim, must be able to examine with complete independence whether the transfer of a person’s data to a third country complies with the requirements laid down in the Data Protection Directive. The EU and US now have a three-month period in which to negotiate a new system or else open themselves to actions by European data privacy regulators.

Recent developments and announcements made by the US Secretary of Commerce Penny Pritzker following the European Court of Justice decision have shed light on the fact that it appears that the US and the EU are close to signing a revised and updated version of the Safe Harbour agreement which should address all the issues raised in the European Court of Justice decision and more.

One has to note however that reforms to the EU-US Safe Harbour agreement have been under consideration for at least two years, especially following the revelations made by contractor Edward Snowden regarding the mass surveillance programs carried out by the US Government.

In light of the current work being carried out to revamp EU Data Protection laws with the introduction of the EU General Data Protection Regulations, many are still trying to comprehend the effects that this latest judgment will have on data processing. It will also increase the workload of national data privacy regulators, since a simple reliance on the EU-US Safe Harbour principles is not an option and the regulators will now have an increased say as to whether the intended transfer meets accepted data privacy criteria. This also means that international companies will need to reassess trans-border data transfers.

The data protection landscape has become very fluid. The declaration by the European Court of Justice that the Data Retention Directive did not strike the right balance between the legitimate interests of the state and the protection of the fundamental right to privacy of EU citizens is still reverberating.

These developments however shed light on the increased awareness that internet users have on their privacy rights and serve to recognise that informational self-determination is a key concept for internet users and that self-regulation by US internet companies in their compliance with EU data protection norms is not sufficient.

Will Safe Harbour 2.0 address all these fears? I’m sure that Schrems thinks otherwise and most probably he’s not the only one.

Dr Ghio is a partner at Fenech & Fenech Advocates specialising in ICT Law (www.fenechlaw.com). He also lectures ICT law and cybercrime at the University of Malta.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.