Safe Harbor, US jurisdiction WTF and the inevitable pushback

In June 2013 Maximillian Schrems brought forth a complaint to the EU Data Protection Commissioner to the effect that said Commissioner should bar Facebook Ireland from transmitting personally identifiable information (PII) outside of EU jurisdiction, specifically to servers located in the United States. He argued that the “US did not ensure adequate protection” for PII and referred  to “revelations made by Edward Snowden concerning the activities of the United States intelligence services”, specifically the NSA.

The commissioner refused to investigate, asserting that reports on NSA activities were mere speculation. The commissioner referred to the European Commissions’ decision 2000/520 which stated that the US had given indeed adequate guarantees in regard to the protection of PII.

Decision 2000/520 has come to be known as the “Safe Harbor Agreement”. The term “agreement” however applies only inasfar as non-EU nations might choose to agree to the terms set forth in the decision, or else be prohibited from collecting PII from EU citizens. It is not an agreement between multiple parties of equal standing where each party has a say in the matter concerned. Since Schrems opinioned that the US did not adhere to the terms of the decision he took his complaint to the European High Court.

The High Court found that in the US “Union citizens have no effective right to be heard” and that PII transfered to the US “is capable of being accessed by the NSA and other federal agencies in the course of the indiscriminate surveillance and interception”.

The court decided that, under these circumstances, transferring PII to the US was a violation of the Irish constitution. The High Court also considered that

“[T]his case concerns the implementation of EU law as referred to in Article 51 of the Charter and that the legality of the decision at issue in the main proceedings must therefore be assessed in the light of EU law”.

So this was turned from a relatively low key affair into an investigation of the validity of decision 2000/520 at large.

In the actual court decision here follows much deliberation regarding the definition of  “adequate level of protection” because, while this is the key concept behind decision 2000/520 is is not actually defined anywhere. To cut a very long story short the Court found that

“[The] Commission did not state, in Decision 2000/520, that the United States in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments.

Consequently, without there being any need to examine the content of the safe harbour principles, it is to be concluded that Article 1 of Decision 2000/520 fails to comply with the requirements laid down in Article 25(6) of Directive 95/46, read in the light of the Charter, and that it is accordingly invalid”.

The court also found that in article 3 of the decision the Europan Commission overstepped its authority by

“[D]enying the national supervisory authorities the powers which they derive from Article 28 of Directive 95/46, where a person, in bringing a claim under that provision, puts forward matters that may call into question whether a Commission decision that has found, on the basis of Article 25(6) of the directive, that a third country ensures an adequate level of protection is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals”.

The court concluded that

“As Articles 1 and 3 of Decision 2000/520 are inseparable from Articles 2 and 4 of that decision and the annexes thereto, their invalidity affects the validity of the decision in its entirety”.

So an agreement that was not actually an agreement issued by an authority that did not actually have the authority was declared invalid by the court because the companies that based themselves on that non-agreement with the non-authority gave guarantees that they were not actually capable of giving. That however is not the amazing part. The amazing part is the US response to that. It looked like this, in the form of an “Advisory” on the US Safe Harbor website:

Advisory of the US Department of Commcerce

If you can’t see the screenshot this reads:

“On October 6, 2015, the European Court of Justice issued a judgment declaring as “invalid” the European Commission’s Decision 2000/520/EC of 26 July 2000 “on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce.”

In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework. If you have questions, please contact the European Commission, the appropriate European national data protection authority, or legal counsel.”

Sorry US Department of Commerce. You cannot declare yourself to be in accordance with other nations laws just after said nations nixed the agreement that you base your policies on. Which, as explained above, was not an agreement at all, but a list of terms that were promptly violated by the US.

In an somewhat bizarre comment in a (now deleted) web forum discussion a user suggested that this was basically okay, that US Department of Commerce had every right to administer the program since a new agreement would be forthcoming anyway and not transferring PII in the meantime would be a needless loss of business opportunity. If you really think that’s how it works I have 850 000 Volkswagen Diesels I could sell to you. It’s hard to believe for some people, but the EU does not actually fall under the US jurisdiction.

The thing is, I would really like Safe Harbor to be reinstated. I’m a web analyst and a Google fanboy, and for many US American tools there are no really good EU-based alternatives in any case. However it is the attitude expressed above – that it is somehow a permissible sin to walk over European sentiments, laws and constitutions – that have lead to ever stricter EU regulations.

What annoys me about the decisions and laws in the EU is the professed idea that users in toto are incapable of making their own decisions when it comes to their personal data. However lobbyism has pushed the EU very far in the direction of lenience and laissez-faire. I’m less than amazed that privacy advocates are now pushing back hard, maybe even too hard into the other direction. I’m also sure that a little more respect to the opinions and the privacy of EU citizens would help to make things go along.

Further reading:

One thought on “Safe Harbor, US jurisdiction WTF and the inevitable pushback

  1. I really liked this article, it was succinctly written and well argued. It helps to have the original texts to look at. Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *