Safe Harbor 2.0 in the making

The United States and the European Union have reached a new agreement in replacement of Safe Harbor, as announced on February 2. Safe Harbor originally outlined the rules for electronic data transfers between the U.S. and the EU, until it was nullified by a European court for jeopardizing the privacy of European citizens. According to negotiators, the new deal will create a “Privacy Shield” in order to protect European data. Whatever the new agreement might entail, it will affect e-discovery—electronic evidence used in litigation or government investigations—as well as social media and business-related data transfers between the U.S. and the EU.

The European court decision on Safe Harbor’s validity is a result of fundamental differences in the way that Americans and Europeans view privacy. The 1995 EU Data Protection Directive established data protection requirements in the European Union that are far more comprehensive than current laws in the U.S. One of the stipulations of the 1995 law is that citizens’ personal data cannot be transferred to countries lacking sufficient data protection, such as the United States. When the Patriot Act was passed in 2001, the divergence between European and American privacy laws widened even further.

The Safe Harbor framework was considered to be a loophole to the European law. It allowed any individual company with EU privacy certification to transfer data between the U.S. and EU, even though the U.S. as a nation did not comply with the 1995 EU data Protection Directive. Moreover, American companies were only required to self-certify—essentially, a company had only to state that they were abiding by European privacy standards in order to transfer any amount of data.

Max Schrems, an Austrian law student, created an organization called “Europe versus Facebook” (EvF) in order to fight Safe Harbor in court. Although he lost his case before the Irish Data Protection Authority, the European Court of Justice held on October 6, 2015 that “There is no general privacy law or other measures enacted in the U.S. that shows the U.S offers ‘an adequate level of protection’ for personal data relating to European data subjects.”

Some call the new agreement “Safe-Harbor 2.0.” Until more information is provided, it’s impossible to know whether the deal includes real improvements, or just more loopholes.

Article via: Legaltech News, 11 February 2016

Photo: European Union Colours by Tristam Sparks  [Creative Commons Attribution-NonCommercial-NoDerivs]

 


E.U. ruling invalidates Safe Harbor

In a recent ruling, the European Court of Justice struck down Safe Harbor, which dictated the rules for transatlantic data flow between the United States and the European Union. The invalidation of Safe Harbor carries significant consequence for American e-commerce firms who operate in Europe. Companies like Google and Facebook—as well as the U.S. administration—now must make high-profile decisions in response to the ruling.

Europe has broad legislation protecting the personal information of E.U. citizens from being exploited by businesses. The U.S., in contrast, only codifies privacy against government institutions and for certain high-sensitivity data (e.g. health records, etc.) Safe Harbor’s “principles” are more flexible extensions of the E.U.’s privacy laws; violations of Safe Harbor could result in sanctions from a self-regulatory organization or the Federal trade Commission.

When Europe’s highest court invalidated the agreement, it was under the premise that European citizens were being manipulated by U.S. tech companies as well as by the U.S. government. The ruling was a reflection of a recent decision made by an Irish court on Safe Harbor’s illegality. Any new agreement drafted will have to contain more stringent privacy rules, and will therefore create more limitations for U.S. firms.

Facebook and Google’s immediate options include continuing business practices in a time of legal uncertainty, shutting down their European operations (resulting in major loss), or changing the business model to include more data collection centers in Europe. The last alternative would require companies to keep European and American data completely separate, with the consequence of economic inefficiency.

Article via The Washington Post, 6 October 2015

Photo: Bandiera dell’Unione (EU Flag) via Giampaolo Squarcina [Creative Commons Attribution-NonCommercial-NoDerivs]