The end of the Safe Harbor regime: time for structural separation of personal data?
The Court of Justice of the European Union (CJEU) declared invalid the so-called Safe Harbor decision of April 26, 2000 of the European Commission which allowed US platforms and OTTs such as Facebook, Amazon, Google and others to transfer and gather in the United States personal data of European citizens (Case C-362/14 Maximillian Schrems vs Data Protection Commissioner). The text of the judgment can be found here.
The judgment of the EU Court will have various fundamental consequences on the business of the US OTTs in Europe. In particular, the transfer and treatment of personal data of European citizens into US risk to become permanently uncertain and unfit for a proper online business based on profiling and online ads. My first thoughts on this:
- a new Safe Harbor decision will not solve the problems. The CJEU confirmed that national supervisory authorities remain competent to examine whether the transfer of individuals data to third countries complies with the requirements requested by the directive on data protection (Directive 95/46). This will make it for a very different business environment for US based platforms and OTTs in the EU; as a matter of fact, such companies from now on will be running the risk of having individuals challenging the way their data are processed in the US. Additionally, since most of US OTTs are based in Ireland, the Irish data protection authority will have to manage an enormous, unexpected, and maybe uncalled for, power over the entire US online business;
- in any case, it would be difficult to reach and enforce a new Safe Harbor decision. The CJEU clearly stated that the current way the US process personal data is not acceptable, because there are no guarantees as, nor limitations, to the potential interference by US investigation authorities, in particular as to security and anti-terrorism reasons. However, in a joint declaration, Vice-President Timmermans and Commissioner Jourová optimistically declared that “we will continue this work towards a renewed and safe framework for the transfer of personal data across the Atlantic“;
- therefore, it seems that the only solution will be for US OTTs to store data in the EU, rather than in the US, if they want to continue to carry out business in the EU. This means they will have to create new and separate data processing centers in the US and the EU respectively. It will be a kind of structural separation for personal data;
- for some OTTs this forced structural separation of personal data will be a disaster, since their business, based of profiling for advertising and marketing, will become much less interesting if data could not be compared and profiled all together.
- to overcome this issue, an enormous political effort should be done between US and EU. In particular the US should accept to discuss, and comply with, the data protection standards as indicated by the European Court. However, this is very unlikely to happen in the short term.
In the short term, US OTTs will continue to carry on their business, since the transfer of data to third countries may happen (art. 26 of the Data Protection Directive) also via other alternative means, such as with the consent of interested parties, the application of the so-called Binding Corporate Rules or the use of standard contractual clauses. However, such instruments do not constitute a viable, long-term solution in the present circumstances, since the judgement clearly applies, as far as mass surveillance is concerned, to any alternative transfer methods. In other words, the CJEU has not argued only under the Safe Harbor decision, but has based the judgement on fundamental rights that apply no matter which transfer methods are used.