There has always been a substantial difference between the US and the EU approach to the protection of personal data, and this could be for philosophical or historical reasons.
The US follow the principle of self-regulations, which establish that privacy should be granted through the market equilibrium.
Therefore, for the undertakings is not a priority to protect privacy due to the fact that aggressive privacy politics could bring to a loss of customers. In the US we can see that the approach is ad hoc, and quite sectoral. There is no uniform legislation about privacy protection: there are federal laws, Court decisions, and this system does not manage to grant enough protection for privacy.
The general data protection EU has a generalist and centralized approach, independent from the sector which is referring to. The EU considers privacy as a fundamental right, and the legislation is inspired by ethic principles of fair treatment of personal data. Therefore, the EU has issued a directive regarding the processing of personal data (Directive 46/95).
The main goal of the Directive 46/95 is to ensure a high standard of data protection, both in the internal transit within the Community, and the external transit to third countries. If the Commission believes that the protection level in a third country is not guaranteed, it has got the power to prevent the transfer of the data.
This divergence between the US and the EU on the issue of the protection of personal data could have been a risk in terms of data flows, which might have been blocked, with the result of obstructing all trade between the parties.
SAFE HARBOUR AGREEMENT
For these reasons, the UE and the US agreed to a “safe harbour” scheme, approved by the EU in 2000.
The main goal of this agreement was to combine the two positions in regards to the protection of personal data. It was in a certain way a compromise, as this agreement was also intended to resolve the inadequacies in the American legislation, without adopting particular legislative measures. The agreement is respected in all data transfers from the EU to the US, and this adherence created a presumption of conformity with the essential requirements for the protection of personal data. Under this circumstances, the US was able to receive EU data without the risk of sanctions from grants authorities of Members States.
SCHREMS VS DATA PROTECTION COMMISSIONER (CASE C-362/14)
In October 2015, the European Court of Justice (ECJ) invalidated the Safe Harbour agreement.
The case arose from a complaint made by Maximillian Schrems, a Facebook user.
Mr Schrems, after a formal request addressed to Facebook, became aware of the big amount of data that Facebook stored about him.
The headquarters of Facebook Inc. are in the US and Mr. Schrems was concerned about the data protection in this country, also because it was the period just after Snowden revelations regarding NSA illegal control under users.
Therefore, giving consideration to about the fact that his data would be processed in the US, he made a complaint against the European subsidiary of Facebook, Facebook Ireland ltd, which is the contracting party for all users of the service in Europe.
The Irish authority for the data protection rejected the complaint under the grounds that the US, headquarters of Facebook Inc, the ultimate place where users data is processed, were part of the Safe Harbour agreement. As a consequence, the level of protection of personal data should have been considered adequate.
The High Court of Ireland, taking into account that the European Commission, through the Safe Harbour agreement had already considered the US to have an adequate level of protection, wanted to know whether that consideration prevented any national authority to investigate a complaint alleging that the US did not ensure an adequate level of protection.
The Court of Justice of the European Union, according with the opinion of the General Advocate, explained that the mentioned Commission finding that the protection of personal data in the US is adequate, did not prevent the national authorities from suspending the transfer of the data from European Facebook subscribers to servers located in the US.
The Court of Justice considered that in the US, the national security issues prevail on the protection of personal data. Due to this fact, the US public authorities can request Facebook (but also Google and Microsoft, for example) to derogate the Safe Harbour agreement for national security reasons, with the risk of interference of American public authorities on the fundamental rights of people.
The Court of Justice, consequently, by giving this important judgement declared the Safe Harbour Agreement invalid.
AFTER THE SAFE HARBOUR
Following in this judgement, the EU and the US are trying to find another agreement in a short time in order to ensure that this sort of veto, imposed by the ECJ, does not stop the business between the EU and the US undertakings.
In the meantime, there are other legal ways to transfer personal data from the EU to the US:
Specific agreements that allow the transfer of the data: these agreements need to be reached through specific contracts between the undertakings.
Ask for the explicit consent of people concerned by the transfer of their personal data to the US. difficult to carry out if we speak about undertakings with millions of users.
Temporary suspension of the transfer of personal data between the EU and the US, waiting for a new agreement: High-risk procedure due to the fact that there is no new agreement on the horizon.
To sum up, the long term objective is not only to find a new commercial agreement,but to insert the data protection into an international framework.