Why abandoning Safe Harbour could 'stop the European operations of Facebook and Google in their tracks'
The future of Safe Harbour is in serious doubt - which spells big problems for the US internet giants
The future of Safe Harbour, the agreement that covers the transfer of personal data between the EU and the US, is in doubt.
Safe Harbour, which dates back to 2000, bridges the gap between the data protection legislation in Europe and that in the US, which is generally much weaker as regards personal data. US companies signing up to Safe Harbour agree to adhere to the EU's data protection rules, including giving individuals notice that their data is being collected and how it will be used, and ensuring sufficient security is in place to prevent loss of the personal data.
Ever since Edward Snowden leaked details of the NSA's PRISM programme Safe Harbour has been under intense scrutiny by law makers and privacy campaigners who claim that the activities of the US security services, which include industrial espionage and spying on heads of state as well as the bulk collection of data from all internet users, mean that the agreement is not worth the paper it's written on. The late privacy campaigner Caspar Bowden described Safe Harbour as a "sham": the US government can use other legal instruments, such as FISA 702 or Executive Order 12333, to get its hands on EU residents' data any time it wants to, Safe Harbour or no Safe Harbour, he claimed.
The debate over Safe Harbour is particularly pertinent now because the EU is putting the final touches to the General Data Protection Regulation (GDPR), which is intended to become law in 2017. The GDPR is likely to be much tougher than its predecessor. As a regulation it will also be applied consistently across the EU member states.
Safe Harbour has caused ructions among European legislators themselves. Last year the European Parliament called upon the European Commission (EC) to "present measures providing for the immediate suspension of Commission Decision 2000/520/EC, which declared the adequacy of the Safe Harbour privacy principles" and to "put forward a proposal for a new framework for transfers of personal data from the EU to the US".
However, in the face of some fierce lobbying from the US government and US internet firms such as Google and Facebook, who fear what strengthened legislation might mean for their personal-data-centric business models, the EC has refused to shift its position on Safe Harbour. This in spite of the fact that under PRISM US internet firms are required to give personal data to third parties, namely the NSA, in contravention of the agreement.
Last week, a senior EU legislator, the European Court of Justice (ECJ's) Advocate General Yves Bot, weighed into the debate.
"Given such a finding of infringements of the fundamental rights of citizens of the European Union, according to the Advocate General the Commission ought to have suspended the application of the decision, even though it is currently conducting negotiations with the United States in order to put an end to the shortcomings found," he said, giving his opinion that Safe Harbour is "no longer adequate".
Yesterday the US Mission to the EU attacked Bot's methodology and his judgment:
"The United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens," it said in a statement.
"The PRISM programme that the Advocate General's opinion discusses is in fact targeted against particular valid foreign intelligence targets, is duly authorised by law, and strictly complies with a number of publicly disclosed controls and limitations."
The statement goes on to claim that the EU and the US are working together to improve Safe Harbour and that it should be seen as a "living document" and should therefore not be abandoned and replaced with something else.
Privacy and security researcher Kevin Townsend believes that the ECJ will find it extremely difficult to ignore Bot's stated opinion, and that despite American protestations, this is likely to mean that the Court will declare Commission Decision 2000/520/EC to be in contravention of the European Data Protection Directive - meaning the end of Safe Harbour.
"I don't believe that many people or companies have fully grasped the import of the Advocate General's opinion, " he told Computing.
"If the full Court follows his lead the obvious deficiencies in Safe Harbour can - and will - be challenged in court. Unless the politicians in the EC can find some wriggle room, this opinion could, technically, stop the European operations of companies like Facebook and Google in their tracks."