safe harbor

The Safe Harbor agreement was intended to allow U.S. companies to collect personal information about themselves. Data of EU citizens. The agreement should maintain the traditional level of data protection for EU citizens, which is not guaranteed to the same extent in the US. Since September 2015, the agreement has been considered invalid by the European Union, ending more than 15 years of practice in the field of data protection law.

Safe Harbor: A safe haven?

In September 2015, the Safe Harbor Agreement suffered a severe setback. The Advocate General of the European Court of Justice - Yves Bot - came to the conclusion in his opinion that the Safe Harbor decision is neither valid nor binding. The Safe Harbor Agreement dates from the year 2000 and is part of the area of data protection law. The decision of the European Commission should allow companies to transfer personal data to the USA, provided that they comply with European data protection directives. There is no "agreement" in the actual sense - however, this type of procedure has been agreed with the USA, so that one can speak of a kind of "agreement". On 06.10.2015, the Safe Harbor Agreement was declared invalid by the European Court of Justice (ECJ).

The history of the Safe Harbor Agreement

Within the European Union, the Data Protection Directive 95/46/EC prohibits the transfer of personal data from member states to other states that do not have data protection laws with a similar protective function. The United States has hardly any legal regulations in the area of data protection that are on a par with the standards of the European Union. The strict EU regulations led to practical problems, which is why the USA and the EU concluded an agreement in 2000. Adherence to the data protection directive would lead to a standstill in data traffic, which is why the Safe Harbor regulation was enacted. Companies from the USA could register on a list of the US Department of Commerce and thus join the Safe Harbor. By joining, American companies agreed to abide by the principles and regulations of the agreement. The legal regulations were virtually supplemented by private regulations on an international level. The European Commission considered it proven that companies within the newly created system provide sufficient protection for EU citizens and their personal data. By the time it was revoked in September 2015, numerous companies had joined the agreement. Among them were General Motors, Amazon, MicrosoftIBM, Google, Facebook, Dropbox and Hewlett-Packard.

Popular criticism of the Safe Harbor Agreement

The Safe Harbor Agreement has been repeatedly criticized. Negative voices denied the agreement a sufficient protective function. One could not rely on the "word" of American companies, which is why proof would have to be provided. After a few years, the US Patriot Act was created: Due to the new legal situation, American security authorities could access all data without having to notify the data owner. Following the revelations of whistleblower Edward Snowden, a review of the system was demanded in 2013. In 2013, EU Justice Commissioner Viviane Reding announced a reform of European data protection. All companies should be punished with a fine of up to two percent of their annual turnover, if they carried out an illegal data transfer.

The judgment of the European Court of Justice in September 2015

In September 2015, the Advocate General of the European Court of Justice - Yves Bot - declared that the Safe Harbor Agreement was no longer valid and binding. The High Court of Ireland had asked the European Court of Justice whether and to what extent the Safe Harbor regime applied. The case in question concerned the transfer of data by Facebook to the USA. In the grounds for the judgement, the Advocate General stated that the European Union was not authorised to interfere with and restrict the powers of the member states. As soon as the observance of the fundamental rights granted by the EU Charter is endangered in a member state, it should be possible to act accordingly. Among the fundamental rights is the protection of personal data. In the USA, EU citizens are exposed to data collectors without protection, as the USA allows data collections of EU citizens to a considerable extent. At the same time, there are no effective means of recourse to judicial redress. The US secret services pursue intensive surveillance, which is not proportionate and allows targeted interference with data protection. The European Court of Justice followed the Advocate-General's remarks and thus sealed the end of the agreement. In the tenor of the judgment, reference was made to the American secret services. American companies are subject to them when they make inquiries and are thus forced to cancel all protective regulations. There is therefore no effective protection of personal data. On the one hand, the fundamental right to respect for private life has been violated by this action, but on the other hand, the right to the existence of effective legal protection in court has also been violated.

The approach of the German data protection authorities

After the publication of the European Court of Justice ruling, the German data protection authorities acted quickly. In a position paper drafted by data protection officers of the Länder and the federal government, it was made clear that transfers of data are excluded if their transfer is based solely on the Safe Harbor Agreement. New permits based on the agreement will no longer be issued. In addition, company regulations and data export agreements will no longer be recognized. In the UK, it is considered that data transfer is still possible if consent has been given or EU standard contractual clauses are in place. Consent is not sufficient in the view of the German data protection commissioners, as mass and repeated data transfers could no longer be permitted on such a scale.

New regulations and recommendations

At federal level, the decision of the European Court of Justice was welcomed by the Federal Data Protection Commissioner responsible. In the near future, it will be examined whether and to what extent the ruling has an effect in Germany on binding corporate rules and EU standard contract clauses. On 26.10.2015, the position paper was published by the Federal Government and the Länder. The supervisory authorities announced that action would be taken against any data transfer based on safe harbor. Since the verdict, it has been completely clear that certification under the former agreement is absolutely inadmissible. Companies that transfer personal data to the USA risk painful fines, which is why website texts, advertising materials and data protection declarations should be adapted as quickly as possible. In addition, current data transfers should be checked. The applicability of Binding Corporate Rules and EU standard contract clauses should be explained. Anyone who cannot do without the transfer of data to the USA should make use of EU standard contractual clauses, with which the risk of a fine can be considerably minimised, at least in the majority of cases. It is absolutely necessary that encryption methods are checked and applied. If consent can be obtained, contact should be sought with the DSK and it should be asked whether such legitimation is permissible for data transfers. If consent can be obtained, it must be made clear that a data transfer to the USA is taking place. Furthermore, possible consequences must be listed. Such consent can hardly be implemented in the case of permanent and mass data transfers, for example of customer data. In order to achieve the best possible legal protection, the legal issues should be examined on a case-by-case basis. Technical and organizational measures can considerably reduce the risk of legal violations.