Hostname: page-component-78c5997874-ndw9j Total loading time: 0 Render date: 2024-11-14T06:48:57.742Z Has data issue: false hasContentIssue false

The Safe Harbour is not a Legitimate Tool Anymore. What Lies in the Future of EU-USA Data Transfers?

Published online by Cambridge University Press:  20 January 2017

Alessandro El Khoury*
Affiliation:
European College of Parma and Pontificia Universitas Lateranensis

Abstract

Image of the first page of this content. For PDF version, please use the ‘Save PDF’ preceeding this image.'
Type
Case Notes
Copyright
Copyright © Cambridge University Press 2015

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

1 Directive 95/46 of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995, p. 31, Article 2 points (a) and (b).

2 Commission Decision 2000/520 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce.

3 Case C-362/14, Maximillian Schrems v Data Protection Commissioner, EU:C:2015:627.

4 Article 29 Working Party was set up under Directive 95/46 as an independent advisory body. It is composed of a representative of each EU data protection supervisory authority, a representative of the EU institutions and bodies and a representative of the European Commission.

5 Article 29 Working Party, Opinion 2/99 on the Adequacy of the “International Safe Harbor Principles” issued by the US Department of Commerce on 19th April 1999, WP19 5047/99/EN/final, at p. 5.

6 Jan Dhont, Maria Verónica Pérez Asinari, Yves Poullet et al. “Safe harbour decision implementation study”, University of Namur, study for the European Commission DG Internal Market (2004), at p. 105.

7 European Commission communication on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU, COM(2013) 847 Final, at p. 18.

9 For the complete history of complaints see <http://europe-v-facebook.org/EN/Complaints/complaints.html> (last accessed on 02 November 2015).

10 The PRISM program is a secret surveillance program run by the NSA to collect internet communications from several major US internet companies. It was publicly revealed by The Guardian, by publishing leaked documents from Edward Snowden, at the time a NSA contractor.

11 Given that data transfers to third countries are (in principle) forbidden, Article 25(6) of Directive 95/46 allows the European Commission to decide whether, by reason of its domestic law or international commitments, a third country ensures an adequate level of protection for personal data.

12 According to Article 28(1), “Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive. These authorities shall act with complete independence in exercising the functions entrusted to them..”

13 See e.g. joined cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and others, EU:C:2014:238.

14 Considering that the Article 29 Working Party issued its first opinion on the level of data protection in the US in January 1999, while addressing a letter from the US Representative dated 1998, Article 29 Working Party, Opinion 1/99, at p. 1.

15 Case C-247/08, Gaz de France - Berliner Investissement, EU:C:2009:600.

16 Opinion of Advocate General Bot in Case C-362/14, EU:C:2015:627, at para. 132 -134.

17 Supra, note 6.

18 Case C-131/12, Google Spain and Google, EU:C:2014:317.

19 The Court considers that the legislation allowing public authorities to have access on a generalised basis to the content of electronic communication compromises the essence of the fundamental right to respect for private life as guaranteed by Article 7 of the Charter (para. 81-94).

20 Article 25(2) of the Directive 95/46 provides that the Commission has to assess that the third country provides an adequate level of protection, meaning that the entire legal order of the third country, without any exception, must be compatible with the level of protection of fundamental rights and freedoms guaranteed within the EU, whereas the Commission only assessed the compatibility of data transfers under the Safe Harbour principles.

21 For a summary on the issues of TTIP and data protection see BEUC's factsheet, Data flows in TTIP, at <http://www.beuc.eu/publications/beuc-x-2015-073_factsheet_data_flows_in_ttip.pdf> (last accessed on 08 November 2015).

22 Commission Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regards to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012)11 Final.

23 Stefano Rodotà, “Relazione 2004 - Discorso del Presidente Stefano Rodotà”, at <http://194.242.234.211/documents/10160/10704/1093804> (last accessed on 11 November 2015).

24 First Vice-President Timmermans and Commissioner Jourová’s press conference on Safe Harbour following the Court ruling in case C-362/14 (Schrems), <http://europa.eu/rapid/press-release_STATEMENT-15-5782_it.htm> (last accessed 11 November 2015). Following that press conference, on 6 November 2015, the Commission published communication, Communication from the Commision to the European Parliament and the Council on the transfer of personal data from the EU to the United States of America under Directive 95/46/EC following the Judgment by the Court of Justice in Case C-362/14 (Schrems), COM(2015) 566 final, in order to explain the other possible mechanisms under which EU-USA data transfers are still possible.

25 Point to point approach describes a method for which the legislation provides only for a preventively agreed linear data transfer, between two subjects. Notably, subsequent data transfers are always envisaged among a “sending” subject and a “receiving” one, therefore each data transfer can be considered individually as a segment. This approach might seem logic, yet it does not necessarily ensure enforceability in practice. It has to be noted that the same approach is applicable to infra-EU data transfers, but in those cases enforceability is guaranteed by other EU legislation.

26 Bradshaw, Simon and Millard, Christopher and Walden, Ian, Contracts for Clouds: Comparison and Analysis of the Terms and Conditions of Cloud Computing Services, Queen Mary School of Law, Legal Studies Research Paper No. 63/2010, available at SSRN <http://ssrn.com/abstract=1662374>.

27 For an in-depth analysis of the EU-USA data transfer through Cloud Computing see Alessandro El Khoury, Cloud Computing, a legal framework. The contract and the main issues related to personal data transfer between European Union – United States of America, LL.M. thesis on file at the Pontificia Universitas Lateranensis, (2011).

28 Spina, Alessandro, Risk Regulation of Big Data: Has the Time Arrived for a Paradigm Shift in EU Data Protection Law?, European Journal of Risk Regulation, Volume 5, Issue 2 (2014), at p. 252 CrossRefGoogle Scholar.