Yottabytes: Storage and Disaster Recovery

Oct 31 2015   10:49PM GMT

European Governments Slam Door on Transferring Data to U.S.

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

Safe Harbor

The Edward Snowden revelations happened more than two-and-a-half years ago, but repercussions are still happening.

Here’s the background, according to the firm Paul Hastings. The European Union passed a law that went into effect in October, 1998, that prohibited transfers of personal data to third countries that do not ensure an “adequate level of protection.” The Clinton Administration then negotiated the U.S.-EU Safe Harbor program, which enabled U.S. organizations to transfer data from the EU to the United States based on their declared compliance with the EU’s privacy principles. In 2000, the European Commission found the Safe Harbor program provided adequate protection.

So what happened? In early October, the European Court of Justice responded to a lawsuit by Maximillian Schrems, an Austrian law student, who filed a complaint with the Irish Data Protection Commissioner challenging the transfer of his personal data from Facebook Ireland to Facebook, Inc. in the United States. “Citing revelations by Edward Snowden, Mr. Schrems alleged that the United States did not ensure adequate protection of personal data against surveillance by public authorities,” explains Paul Hastings. The Court agreed and found that the U.S. was no longer in compliance with those principles, and invalidated the Safe Harbor program. (Later in the month, Israel also jumped on the bandwagon.)

Needless to say, the entire legal and technology industry had kittens. Law enforcement, for example, could no longer count on getting information about possible criminals from Europe. And almost two dozen technology companies, including Google and Microsoft, wrote a letter to Congress about it. “Without the adequacy finding, many of the 4,400 companies that relied solely upon the Safe Harbor agreement to transfer data from the EU to the United States face tremendous uncertainty regarding what bases exist to justify transatlantic flows of data,” they wrote.

Safe harbor “allowed big companies like Facebook and Google, for example, to carry out a self-certification process, promising to protect EU data stored on U.S. soil,” writes Arjun Kharpal for CNBC. “The agreement is key for thousands of companies operating in the EU.”

The data in question could be as minor – or as major, depending on how you look at it – as people’s web search histories and social media updates, writes Mark Scott in the New York Times. “At issue is the sort of personal data that people create when they post something on Facebook or other social media; when they do web searches on Google; or when they order products or buy movies from Amazon or Apple,” Scott writes. “Such data is hugely valuable to companies, which use it in a broad range of ways, including tailoring advertisements to individuals and promoting products or services based on users’ online activities. The data-transfer ruling does not apply solely to tech companies. It also affects any organization with international operations, such as when a company has employees in more than one region and needs to transfer payroll information or allow workers to manage their employee benefits online.”

There are other data transfer alternatives, Kharpal notes. “Two such processes are Binding Corporate Rules and Model Contract Clauses,” he writes. “These are essentially contracts allowing companies to transfer data out of the EU by going through different approval processes involving the European Commission and data protection authorities in the member states.” Larger companies typically have access to these alternative methods to transfer data from Europe to the U.S.; it’s the smaller companies that are particularly left out in the cold by the decision, he writes. And companies that are big enough to have their own servers in Europe to store data about Europeans are also okay, writes Kurt Wagner in Re/code.

European authorities have given the U.S. until the end of January to fix the problem. So the U.S. Congress is scrambling (though some believe its solution is still inadequate) through the Judicial Redress Act. It “gives the citizens of some of the U.S.’s allies access to records about them that have been collected by the U.S. government, as well as the ability to amend those records and, importantly, civil redress (the right to file a civil suit) when such records are unlawfully disclosed,” writes John Eggerton in Broadcasting & Cable. (There are exceptions for reasons such as national security, adds Brendan Sasso of the National Journal.)

The House passed the bill on October 20; the Senate still needs to pass it.

The U.S. can also try to argue with the ruling, writes Karen Kornbluh for the Council on Foreign Relations (though it cannot be appealed). “Experts within and outside the U.S. government have argued that the ECJ based its ruling on erroneous factual assumptions regarding the nature and oversight of U.S. surveillance,” she writes. “Moreover, they note that the United States provides adequate privacy protections, especially in comparison to European countries many of which have no independent data protection oversight of law enforcement and intelligence surveillance. The ECJ also based its decision on a 2013 European Commission report on U.S. surveillance, parts of which are outdated given U.S. surveillance reforms spurred by President Obama’s 2014 executive order. Robert Litt, general counsel for the Office of the Director of National Intelligence, wrote an opinion piece for the Financial Times before the ruling to argue that the surveillance program at issue in the ECJ’s decision ‘does not give the U.S. ‘unrestricted access’ to data.’”

But this is unlikely to go far, writes Timothy Edgar in Lawfare. “So, perhaps all the US has to do is convince enough people that Bob Litt is right about PRISM, the European Commission is wrong, and the Europeans will say it was all a big misunderstanding?” he writes. “Not likely.”

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • JonnySF
    The EU is the only type of structure that can represent EU citizens in a world of mega corporations and other powerful countries. 

    Often it's work is obstructed by its own governments who are being blackmailed by those very corporations.

    The idea that as a single country outside the EU we wouldn't be blackmailed at every turn by corporates is laughable.  It already is a problem and at least the EU provides some measure of resistance. 
    It's not perfect of course and a LOT of money is wasted but an organisation on this scale is never going to be perfect.  It's not possible.  Central bankers are a bigger problem anyhow as they control how much money is in the system and for what purposes and they rely on ever rising asset prices rather than productivity or basic things like you know, exporting goods.

    But data protection is likely a failed exercise already.  people will sign over their data for services that are freely available.  So it's not easy to see the benefit of these arrangements.

    And isn't TTIP and it's sister going to render this irrelevant anyhow?
    155 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: