Global data: security and spying with no safe harbour
Want to read this article later?
Just tap MyLCN+ to save it to your account
In light of the Snowden revelations and ongoing questions about the security of our data, how will companies adapt to continue providing the services we all rely on?
Companies and individuals rely on being able to transfer and store data across the world every day. Facebook and Twitter are well-known examples of the thousands of companies which are dependent on this practice. However, the security of this data has been questioned in the light of, among other things, Edward Snowden's revelations that the US security services routinely accessed the personal data of individuals. As a result, the regulation of data transfers between the European Union and United States has been drastically redrawn by the Court of Justice of the European Union (CJEU) in Maximilian Schrems v Data Protection Commissioner.
The decision of the CJEU emphasises how companies (i) structure their daily operations to comply with legal requirements, and (ii) must adapt to changes in that legal framework. Before the decision, thousands of companies had signed up to the ‘Safe Harbour’ agreement between the European Union and United States to ensure that they complied with the European Union's rules on data transfers. The decision of the CJEU invalidated Safe Harbour, meaning those companies could be in breach of their legal obligations.
All those companies must therefore adapt. In the short term, the services we rely on will continue almost as normal. The commercial reality is that we need these global data transfers to continue, so most national regulators have given companies time to adjust. In the long term, the consequences of the CJEU decision could be far reaching. Affected companies must look to legal solutions, such as updated contracts, and technical solutions, such as European data centres, in order to comply with the new legal landscape.
In 2015, data is global. 'Data' is a catch-all term and includes all the information which we provide about ourselves and our lives online; from credit card details to photos of our friends; from workplace documents to personal emails.
Data is transferred and stored across the world. The volume of data transferred between the European Union and the United States alone is vast, connecting 800 million consumers across two continents. Some of the most influential businesses of our time – Facebook, Google, Microsoft, Twitter – are built on the transfer of data between the European Union and the United States. Beyond these well-known brands, there are thousands of companies which rely on passing data across borders seamlessly (eg, cloud storage providers) and thousands more companies and individuals who rely on the services these companies supply. The worldwide online data storage industry is estimated to be worth $50-100 billion in the next three to four years.
With so much resting on the movement of data across borders, restrictions could have far reaching consequences for individuals, companies and even national economies.
Companies currently structure their data transfers to comply with existing restrictions. All data transfers in the European Union must comply with the Data Protection Directive 46/95 (data protection directive). This legislation prevents the data of any EU citizen being transferred outside of the European Union unless the privacy of that data is 'adequately' protected. 'Adequate' protection means to offer the same protection of privacy as is available within the European Union. This is a relatively high threshold, since EU privacy laws are among the most stringent in the world.
The 'Safe Harbour' agreement, set out in 2000 by the European Commission (EC), was designed to provide a simple and certain way for companies to satisfy the data protection directive when transferring data between the European Union and the United States. The agreement set out that a company which signed up to seven data handling principles (eg, to keep data secure) would qualify as offering adequate protection and could therefore freely transfer data between the European Union and United States.
In Maximilian Schrems v Data Protection Commissioner, the CJEU considered whether the Safe Harbour agreement provided sufficient protection to EU citizens. In deciding that the Safe Harbour agreement was invalid, the CJEU took account of three important factors:
- the right of a citizen or member state of the European Union to bring a complaint about the use of data is a fundamental right. The Safe Harbour agreement seemed to contradict this right by assuming that data transfers with the United States were legal;
- EC Decision 520/2000, which set out the Safe Harbour agreement, had not addressed in detail whether US data protection laws adequately protected the rights of EU citizens; and
- in light of the Edward Snowden revelations, when EU citizens became aware that the US intelligence services, and particularly the National Security Agency, could access data stored in the United States without consent and without an appropriate legal framework in place, it was clear that US data protection laws and practices were in fact inadequate.
The impact is that companies can no longer rely on the Safe Harbour agreement to comply with EU rules, so must find new methods. With over 4,400 companies currently using the Safe Harbour agreement, the impact of the court's decision may be far reaching.
The immediate direct impact of the decision is limited because many national data regulators (including the United Kingdom's Information Commissioner's Office) have reassured companies that they will allow time for those companies to update their practices. This is because of the commercial reality that an ever-increasing number of companies and individuals need global data transfers, but cannot adapt their practices immediately.
However, companies will not be able to rely on the Safe Harbour agreement for much longer. Companies are therefore scrambling to put in place new methods of complying with EU data transfer rules. Examples of potential solutions include the following.
Model contract clauses
A company enters a contractual obligation to meet certain data protection standards when the data is transferred abroad. Many companies are adopting this approach. However, there is significant cost and time involved in drafting clauses and they cannot be easily amended or updated in what is a fast-moving industry. Obligations in some jurisdictions (eg, Spain) to seek approval for these clauses before they are used also complicate the position.
Consent of individuals
A company could obtain the consent of each EU citizen for each transfer of data out of the European Union. However, obtaining consent is not straightforward, particularly if the consent is given by agreement to detailed terms and conditions which many individuals and companies will not read. Moreover, consent requirements will change when the General Data Protection Regulation is passed (estimated to be early in 2016), meaning companies will have to revisit any changes they make now to be sure that they still work.
Localised data centres
A company could set up data storage centres within the European Union and therefore avoid the need to transfer data out of the European Union. This approach has been adopted to a degree by some large tech companies such as Google and Microsoft. However, the necessary financial investment is far harder for smaller companies. In addition it will be very difficult, if not impossible, for large companies to service all of their EU businesses with data held solely in the European Union.
Looking to the future
Companies will have to react to these changes now. However, they will also be aware that Safe Harbour is currently under re-negotiation. Politicians on both sides of the Atlantic will feel the pressure to agree a new, business-friendly Safe Harbour agreement as tech firms warn that restricting data movement could restrict start-ups which lack the finances to invest in legal compliance. It has been observed by some that the CJEU's decision may be designed to put pressure on these negotiations to fully respect the privacy of EU citizens. When an agreement is finally reached, companies will have to adapt to yet another legal landscape.
Angus Milne is a first-year trainee solicitor at Taylor Wessing.