The impact of Edward Snowden’s leaks on US government internet surveillance has claimed another casualty - the ‘Safe Harbour’ provisions that legitimise a significant volume of European Union personal data transferred to the United States for processing.
Under the US Safe Harbour arrangement that had been formally recognised by the European Commission, participating companies in effect have to commit to protecting personal data moved to the US as though the data were still in Europe.
These data flows between the EU and US are vital to the global economy and necessary for internet technology companies like Facebook, Google and Microsoft - and thousands of other companies - to efficiently operate in an EU-compliant manner.
The European Union’s top court this week declared the European Commission’s decision to recognise the Safe Harbour arrangement invalid. The decision comes on the back of leaks about US National Security Agency and its global mass surveillance programme.
The European Court of Justice’s decision follows the opinion by EU Advocate General Yves Bot last month who said the Safe Harbour arrangement did not guarantee the protection of EU data from “mass and generalised access” after it had been transferred to the US.
In the European Union’s 28 member states, data protection and privacy laws offer stronger and more comprehensive legal protections around personal data than is the case in the US. EU policy makers and regulators insist that these legal protections are an essential requirement of its terms of trade with the US. While it has not been possible to provide legal protections of that standard for the entire US economy, the Safe Harbour arrangement provided a feasible option for companies doing a lot of data trade with Europe to ‘opt in’ to a EU-style set of obligations enforced under arrangements supervised by US government departments.
But leaks about NSA spying have upset the perception that US companies are able to guarantee the protection of personal data about EU citizens to the extent that the laws in the European Union demand.
Mr Bot said in his opinion that the access enjoyed by the US intelligence services constituted an interference with the right to the protection of personal data that is guaranteed in the Charter of Fundamental Rights of the European Union.
American diplomats had been lobbying furiously but unsuccessfully to counter the EU advocate general’s opinion, seeing it as a likely precursor to this week’s ECJ decision which some commentators say has plunged both sides into uncharted legal and economic territory.
Work was already well advanced on a review of Safe Harbour to address known deficiencies and there will be calls to put in place an interim replacement arrangement so business can continue as usual. But the repercussions are likely to be felt for some time around the world, including New Zealand.
There is already discussion about a ‘Safe Harbour 2’ contingency. The EU Advocate General says any new arrangement will need to be significantly different in the way it deals with national security and law enforcement exemptions in order to satisfy EU law. This is critical to convincing the European Court of Justice that it will deliver the right level of protection and also meet the expectations of the European Union’s national data protection authorities.
Implications for New Zealand
A respected Brussels-based privacy law expert, Chris Kuner, warned that invalidating the Safe Harbour agreement completely would send a signal to other countries that it was futile to even attempt to adapt their laws to EU standards because they would have no chance of satisfying them. “And given that only six adequacy decisions (five minus the Safe Harbour) have been issued for countries outside the European Union in 17 years … who could blame them?”
One of those six adequacy decisions applies to New Zealand. In 2012, the European Commission decided that our Privacy Act offered an adequate standard of data protection for the purposes of European law. But since Snowden’s leaks, our membership with the Five Eyes network has raised questions in the European Parliament about whether New Zealand’s adequacy decision should be reviewed.
Just as the Safe Harbour agreement is important for US and European trading relationships, the New Zealand data protection adequacy decision is also an important trade advantage for us, especially in e-commerce. Up to now, calls to review New Zealand’s adequacy status have not been acted upon by the European Commission but that could now change.
In the lead-up to the European Court of Justice decision, an Israeli privacy expert Omer Tene said the ruling would immediately call all other data transfer mechanisms into doubt. Israel is one of the few countries outside the EU, like New Zealand and Canada, with EU adequacy status. “If the European Commission’s (original) decision to approve Safe Harbour is subject to second guessing by 28 national regulators, why not its decision to whitelist certain countries as ‘adequate’?”
The judgment goes further than merely invalidating the Safe Harbour decision and seems to suggest that any of the 28 national regulatory bodies can look behind European Commission adequacy decisions and reach their own conclusions about adequacy and, if they think it is warranted, suspend data transfers for processing. This threatens to undermine the certainty to business and third countries that adequacy decisions are supposed to provide and in turn has the potential to disrupt trade and data transfers.