Can Personal Data Still Circulate From EU to US?
The « Safe Harbour » scheme on data protection between the US and the EU was disapproved by the European Court of Justice, which states that the Commission’s confidence in the US protection of personal data cannot prevent national authorities from suspending data transfer of European web users to servers located in the US.
There has always been a substantial difference between the US and EU approaches to the protection of personal data, could be for philosophical or historical reasons.
The US follow the principle of self-regulation, which establishes that privacy should be granted through the market equilibrium cross border transfer of personal data. Therefore, it is not a priority for the undertakings to protect privacy, due to the fact that an aggressive privacy politics could undermine firms’ marketing capacity. The US approach is ad hoc and quite sectoral. There is no uniform legislation about privacy protection: there are federal laws, specific legislations and Court decisions (for instance self-regulation in the banking sector).
On the other hand, the EU has a generalist and centralized approach (with the exception of electronic communication). The EU regards privacy as a fundamental right, and the legislation is inspired by ethic principles of fair treatment of personal data. Therefore, the EU has issued a directive regarding the processing of personal data (Directive 46/95).
The Directive’s main goal is to assure a high standard of data protection, both in the internal transit within the Community, and external transit to third countries. If the Commission believes that the protection level in a third country is not ensured, it is possible to prevent data transfer. The practical effect of this situation is huge : a hotel located in Europe and part of a US hotel chain could be prevented from sending any data to the US, making suddenly impossible for this multinational to centralize data for any purpose whatsoever for instance for invoicing and marketing purposes.
This divergence between the US and the EU on protection of personal data, could have represented a risk in terms of data flows with the chance to obstruct trade between parties.
SAFE HARBOUR AGREEMENT
For these reasons, the EU and the US agreed to a “safe harbour” scheme, approved by the EU in 2000. The main goal of this agreement was to combine their two divergent positions with regard to the protection of personal data. This agreement was a kind of compromise as it was intended to resolve the inadequacies in the American legislation without adopting particular legislative measures. The agreement intervened every time there was a data transfer from EU to US, and the adherence by the company to a minimum set of rules created a presumption of conformity with the essential requirements for the protection of personal data. This scheme offered a “safer harbour” for these companies operationg in Europe.
SCHREMS VS DATA PROTECTION COMMISSIONER (CASE C-362/14)
In October 2015, the European Court of Justice (ECJ) invalidated the Safe Harbour agreement. The case took origin from a complaint, made by Maximillian Schrems, a Facebook user. Mr. Schrems, after a formal request addressed to Facebook, became aware of the big amount of data that Facebook stored about him. Fearing that his data would be processed in the US, he made a complaint against the European subsidiary of Facebook, Facebook Ireland ltd, which is the contracting party for all users of the service in Europe. The Irish authority for data protection rejected the complaint, under the ground that the US headquarters of Facebook Inc. was constrained by the Safe Harbour agreement, and as a result, personal data were deemed to be protected adequately.
However, the Court of Justice of the European Union following the opinion of the General Advocate, ruled that the Commission’s confidence in the US protection of personal data, did not prevent national authorities from suspending data transfer from European Facebook subscribers to servers located in the US. The Court of Justice considered that in the US, national security issues prevail on the protection of personal data. Due to this fact, US public authorities may ask Facebook (but also Google and Microsoft, for example) to derogate the Safe Harbour agreement for national security reasons, with the risk of interference of American public authorities on fundamental rights of people. The Court of Justice, consequently, with this important judgement declared that the Commission’s US Safe Harbour Decision was invalid.
AFTER THE SAFE HARBOUR
After this judgement, the EU and the US are trying to come up to another agreement within a short time in order to ensure that this sort of veto imposed by the ECJ would not undermine business between EU and US undertakings. In the meantime, there are other legal ways to transfer personal data from EU to US :
1.Specific agreements allowing data transfer. These agreements need to be reached through specific contracts between undertakings.
2.Ask for the explicit consent of people concerned by the transfer of their personal data to the US. It is difficult to carry this out if we speak about networks encompassing millions of users.
Personal data can still circulate but the divergence of views between the EU and the US as well as the super privilege of federal administrations in the name of national security makes data transfer more difficult. The future remains to be built. No doubt that multinationals shall have their two eyes on this legal divergence which could have huge impact.