Europe's highest court just rejected the 'safe harbor' agreement used by America

Started by MikeWB, October 06, 2015, 12:37:21 PM

Previous topic - Next topic

MikeWB

This is huge! This will break the internet as we know it and it can also stop massive spying by USA/UK!




Europe's highest court just rejected the 'safe harbor' agreement used by American tech companies

http://uk.businessinsider.com/european-court-of-justice-safe-harbor-ruling-2015-10

The European Court of Justice has just ruled that the transatlantic Safe Harbour agreement, which lets American companies use a single standard for consumer privacy and data storage in both the US and Europe, is invalid.

The ruling came after Edward Snowden's NSA leaks showed that European data stored by US companies was not safe from surveillance that would be illegal in Europe.

Companies such as Facebook and Twitter may now face scrutiny from individual European countries' data regulators — and could be forced to host European user data in Europe, rather than hosting it in the US and transferring it over.

That could be a bureaucratic nightmare: In theory, American companies with European customers could now end up trying to follow 20 or more different sets of national data-privacy regulations. Up to 4,500 US companies — not just tech firms — have relied on Safe Harbour.

The ruling says "the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities."

In short, the European Commission's Safe Harbour cannot usurp the powers of national authorities, the ruling says.
Here are the main points:

    * Individual European countries can now set their own regulation for US companies' handling of citizens' data, vastly complicating the regulatory environment in Europe.
    * Countries can choose to suspend the transfer of data to the US — forcing companies to host user data exclusively within the country.
    * The Irish data regulator will now examine whether Facebook offered European users adequate data protections, and it may order the suspension of Facebook's transfer of data from Europe to the US if so.

Here's the news release from the European Court of Justice:

ECJ Safe HarborECJ

The ruling comes after privacy advocate Max Schrems brought a case against Facebook in Ireland. He said his privacy had been violated by the NSA's mass-surveillance programs, first revealed by whistle-blower Edward Snowden. Schrems is Austrian, but he brought the case against Facebook in Ireland because the Facebook's European headquarters are in Dublin.

He was jubilant Tuesday morning:

    *YAY* #CJEU on #SafeHarbor: SH invalid. DPC had to investigate. #EUdataP
    — Max Schrems (@maxschrems) October 6, 2015

Here's Schrems at the European Court of Justice on Tuesday awaiting the ruling:

    Cuej: Max Schrems attend la décision sur #Facebook #SafeHarbor pic.twitter.com/wrcGaZQMwh
    — Aurélie Mayembo (@aureliemayembo) October 6, 2015

Initially, Ireland's data regulator, the Data Protection Commissioner, rejected the case because it was bound by a legal pact called the Safe Harbour agreement (or Safe Harbor, depending on which spelling you adopt). Schrems subsequently appealed the decision, resulting in the European Court of Justice's ruling.

The ECJ ruling is final and cannot be appealed.
What are people saying?

In a statement, Schrems said: "I very much welcome the judgment of the Court, which will hopefully be a milestone when it comes to online privacy. This judgment draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible ... This decision is a major blow for US global surveillance that heavily relies on private partners. The judgment makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights."

The court ruling obliquely touches upon US spying, saying "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life."

Facebook said in a statement: "This case is not about Facebook. The Advocate General himself said that Facebook has done nothing wrong. What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows. "

It continues: "Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbour. It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security."

Helen Dixon, the Irish data-protection commissioner, said in a statement that she "welcome today's judgment," and that "in declaring the old 'safe harbour' rules invalid ... the significance of the judgment extends far beyond the case presently pending in Ireland. In that regard, my Office will immediately engage with our colleagues in other national supervisory authorities across Europe to determine how the judgment can be implemented in practice, quickly and effectively, particularly insofar as it impacts on EU/US data transfers."
So what now?

Previously, American companies could rely on Safe Harbour to ensure they could legally transfer data on Europeans from Europe to the US. Now, individual countries' data regulators could challenge this transfer — meaning companies like Google could face dozens of different regulatory environments in Europe. Countries could even demand that data on their citizens be stored within their own countries. Russia did this recently, introducing a new data law that demanded data on Russian citizens be stored within Russia.

The ECJ decision follows a legal opinion from Advocate General Yves Bots, an adviser to the court, arguing Safe Harbour should be struck down. "The surveillance carried out by the United States intelligence services is mass, indiscriminate surveillance," Bots said. "In those circumstances, a third country cannot in any event be regarded as ensuring an adequate level of protection."

larry pageREUTERS/Steve MarcusIt's not just tech startups — any company that relies on Safe Harbour for the transfer of user, customer, or employee data is affected.

He argued that agreements such as the 2000 Safe Harbour law could not supersede scrutiny at the national level. Such agreements "cannot eliminate or even reduce the national supervisory authorities' powers ... if the national supervisory authorities receive individual complaints, that does not in my view prevent them, by virtue of their investigative powers and their independence, from forming their own opinion on the general level of protection ensured by a third country and from drawing the appropriate conclusion when they determine individual cases."

There are other methods that companies can use to legitimise the transfer of data from Europe to America. Safe Harbour "is not the only way you can legitimise the transfer of personal information but it is probably the most important method," Dr. Susan Foster, a privacy lawyer at the law firm Mintz Levin, told Business Insider. One option is to directly seek the consent of the data subject, but it could be difficult to do so in cases in which companies have previously relied exclusively on Safe Harbour.

"Consent has to be explicit and freely given" — which causes a headache for another key use of Safe Harbour, the transfer of employee data. "In many countries in Europe you can't rely on consent from employees, because employees are understood not to have free choice." An employee may feel pressured into consenting, so such a consent would not be a valid basis for the transfer. "A lot of multinational companies with employees in Europe rely on Safe Harbour because they don't feel they can rely on consent, quite rightly." Foster says.

Even in instances in which consent can be freely given, there could be future hurdles as legal debate in Europe continues as to whether consent is an adequate mechanism (given how people tend to disregard terms and conditions). "At the moment we have consent as a valid basis of the transfer," Foster says. "I can foresee a world within the next 12 months where it's not."

Another option is "model clauses" — pre-approved clauses that can be slotted into contracts dealing with data protection.
1) No link? Select some text from the story, right click and search for it.
2) Link to TiU threads. Bring traffic here.