The World after Safe Harbor

In October 2015, the European Court of Justice (ECJ) declared the Safe Harbor Agreement for transferring data to the USA invalid. The decision was based on a lawsuit filed by the Austrian, Maximilian Schrems, who claimed that the data storage practices of Facebook in the USA did not conform to European data protection legislation. After the ECJ upheld the Schrems case, many international companies faced an upheaval to their existing data transfer practices. At the end of the interim period on February 1, they were no longer permitted to share personal data including names, addresses and credit card numbers with subsidiaries in the USA. In principle, this decision could affect all kinds of companies – not just social media platforms such as Facebook or Twitter, but entire sectors including ecommerce and cloud computing. Violations of data protection legislation can incur financial penalties of up to EUR 300,000.

Many managers initially reacted indifferently to the end of Safe Harbor. As the transfer of personal data is essential for international business, it was unthinkable that this practice could end, and businesses would be forced into digital silence. However, businesses grew more anxious with every day that an agreement could not be reached between the European Commission and the USA. Data protection in the United States has a completely different significance among the public, and for most companies, in comparison to Europe and especially in Germany. In the United States, data is often considered a flexible meta currency that is utilized for profitable means. Questions about data security, especially concerns on the misuse of data, are largely unheard.

The state and intelligence services have clearly shown no inhibition when it comes to accessing any form of stored data. After the revelations of Edward Snowden, many data protection lobbyists have campaigned for an end to unregulated data transfer which was based entirely on the goodwill of American companies and was not monitored in any way. A study by the research firm Galexia found evidence of serious violations against the already lax regulations of the Safe Harbor Agreement as early as 2008. The report found that companies had used the Safe Harbor logo on their website, although they had not signed the agreement and only 54 of 1,109 members included all of their data (online, employee data, offline) in Safe Harbor protection and many firms simply confused data protection with data security.

As such, there were many good reasons for Safe Harbor to end. At the last minute and just after the grace period expired, the EU-US Privacy Shield has now been proposed to improve existing practice. The final draft is not complete and it will not be published for a few weeks. Currently, only a summary of the most important points is available. The first responses to the new deal are not particularly encouraging. Commentary from privacy groups or company association representatives has been both welcoming and damning, depending on their interests. Germany's digital association Bitkom made the following statement: "The new agreement is an important step towards better legal protection for data transfer with the USA," says Susanne Dehmel, Bitkom director for Data Protection and Security. "In today's digital world we need to be able to transfer data across borders alongside goods and services. To safeguard this, companies on both sides of the Atlantic need solid legal frameworks." Konstantin von Notz from the German Green Party was critical of the proposed changes: "Raider is now Twix and Safe Harbor is now Privacy Shield yet the underlying protection of basic legal rights probably won't change. The compromise which has been proposed is misleading and the objective of protecting the basic legal rights of citizens has been missed completely. Legal certainty for businesses is also now even further away. It is foreseeable that the ECJ requirements will not be fulfilled."

Although the Privacy Shield summary reads very convincingly, it is again lacking specific legal concessions by the United States. It warns, outlines, requires and demands – from companies. It is left completely open as to how companies violating the requirements will be monitored and what the consequences will be. There are also a number of exceptions that would be of particular benefit to intelligence services, which should be facing greater scrutiny. The NSA, CIA and associated organizations did not show any intent to comply with the previous regulations. Expectations that an American administration, with less than a year left in office, can enforce lasting supervision on such powerful agencies are nothing more than an illusion.

What option is left for companies which still need to exchange personal data with head offices or subsidiaries based in the United States? Those who do not to wish to rely on administrative initiatives can check binding corporate rules and EU standard contractual clauses. The eco association offers guidelines for this here. EU data protection authorities can check the contracts and take action against violations. Those affected have a right of complaint and action in European supervisory bodies and courts. Whether this regulation will remain in place is not yet certain. The EU data protection authorities are currently investigating which effects the Safe Harbor Agreement have on the binding corporate rules and standard contractual clauses. A definitive answer is expected in the coming days.