Safe Harbour

Last month the Court of Justice of the European Union ruled the US Safe Harbour treaty to be insufficient for European data protection law purposes. How important this is, is subject to debate. One of the principles of European Data Protection law is that personal and confidential data must be “adequately protected”. The CJEU has stated that the US Safe Harbour agreement offers insufficient and uncertain protection to European personal data.

In the IT security world, we have been used to implementing cross border controls for many years; since shortly after we built cross border I.T., so this shouldn’t be difficult. There are a number of new jeopardies, but the first response has been to transfer companies’ reliance from state guaranteed treaty to private contracts aka model clauses. The EU Commission has been helping to write the new clauses. The big cloud providers now all offer EU protection in their contracts; their use as storage providers remains legal. This means that the basic problem, which is political is not being addressed. Business is hoping that the politicians will grow up but we have a clash of embedded cultures. The US prefer freedom of speech to privacy rights, the 1st Amendment vs. the 4th; in Europe as a reaction to fascist and stalinist governments, privacy is seen as universal human right.

Ars Technica’s contemporary report, which is very good and clear to read, and contains a link to the judgement states that the Advocate General, Yves Bot, said

“the inability of citizens of the EU to be heard on the question of the surveillance and interception of their data in the United States,”  … amounts to …. “an interference with the right of EU citizens to an effective remedy, protected by the Charter.”

The politicians and bureaucrats particularly in Europe are working to provide an alternative and clear way in which the EU’s privacy laws, US Surveillance activities and transatlantic IT services trade can be continued, but we are basically still waiting for the US case, Dept. of Justice a.k.a. FBI vs Microsoft.

1 Comments.

  1. On the 12th July 2016, the Commission of the European Union resolved that the USA’s revised legal commitments allowed for a positive adequacy decision. i.e. that Data can be transferred to to US Companies and locations that self certify as “Privacy Shield” compliant. (Sorry about the English).