Safe Harbour? Say what?

Are you a Google Apps user? Do you recall getting an email that began like this?

“Please note that the update below is relevant only if you process personal data and European Data Protection laws apply to that processing. This will often be the case if your business is based in the European Union. If you are unsure whether this applies to you, we suggest you seek advice from legal counsel.”

 If so, did it make any sense to you?

That email came from a decision by Europe’s highest court. It declared the US-EU Safe Harbor Framework with respect to data privacy was no longer valid.

EU privacy laws and US privacy legislation: an uneasy mix

European Union (EU) privacy laws are thought to be stricter than United States Privacy legislation. Nonetheless, the EU made an exemption for US companies – as long as they provided for similar protection of personal data originating in the EU.

Most recently the EU said that the ability of companies to comply with the Safe Harbour frameworks was severely undermined by the Edward Snowden revelations about US National Security Agency surveillance of data in the US..

How did this get started?

Meet Maximillian Schrems, not your average Facebook user

The case was started by Maximillian Schrems, a resident of Austria and a Facebook subscriber. He complained to the Irish Data Protection Commissioner that it should prevent Facebook Ireland from transferring his personal data to the United States, because the US did not ensure adequate protection of personal data due to NSA mass surveillance.

The Irish Data Protection Commissioner primarily said that it did not have the authority to override the EU Safe Harbor framework, so Schrem then went to the Irish High Court. They disagreed. They said that Snowden had demonstrated significant over-reach by the NSA and referred legal questions to the European Court of Justice.

As of October 6, 2015 this has changed. As part of Schrems v. Data Protection Commissioner [2015], the European Court of Justice essentially agreed with the Irish High Court: the US government’s ability to access EU data, with EU citizens having no redress in the US, meant that companies in the United States, even if self-certified, would not be able to comply with Safe Harbour provisions.

Dealing with data transfers: US companies operating in the EU

This decision has significant impact on US companies operating in the EU, specifically EU/US data transfers, an essential part of modern digital commerce. The European Commission has now said that if companies adopt certain model contract clauses, it should suffice for allowing personal data to transfer between Europe and the United States.

I don’t find this very reassuring. The decision introduces a great deal of uncertainty for US companies. The US has been negotiating a Safe Harbour agreement with the EU, and the EU has said they will not be enforcing the decision until January of 2016. But January of 2016 is not far away; undoubtedly, this decision will prompt both sides to move faster.

What about EU-Canada data transfers?

How does this impact data transfers between the EU and Canada? The EU made a previous decision that found that Canada’s privacy legislation provides adequate protection of personal data. So this recent decision does not impact on Canadian data transfers to the EU. But if challenged, there is a possibility (albeit small) that a different decision would be reached.

Don’t relax entirely! This will not be the end of the story, as there may be follow-on decisions from EU authorities and/or a new Act to protect data transfers between the EU and the US.

Monica Goyal
Monica Goyal
Monica Goyal, Entrepreneur, Lawyer and Innovator is the founder of Aluvion, a legal solutions company offering technology, paralegal and lawyer-driven solutions with a special focus on the quality, cost, and accessibility of legal services for both businesses and individuals. Monica began her career working as an engineer in R&D for companies like Toshiba, Nortel and Nokia while earning her Masters of Engineering at Stanford. Monica's history conditioned her to solve problems in a efficient and tech-savvy manner, an approach she brings with her to legal solutions. Monica currently sits on the Canadian Bar Association's Futures Initiative, and will be teaching a course on Legal Technology at York University’s Osgoode Hall. She was recently named one of 10 Women to Watch in Tech in the Journal of the American Bar Association.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Latest Blogs

ITB in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.