The EU-commission confirms in a press release that standard contracts issued by the EU will replace the International Safe Harbor Privacy Principles after it was declared invalid by the European Court of Justice early October this year. The agreement has for over fifteen years governed the transfer of personal data by companies between the EU and USA.
The Safe Harbor Privacy Principle was created as an umbrella for companies who transfer personal data between EU countries and USA. In order to qualify for the agreement the companies had to pass seven key principles proving that they comply sufficiently with the privacy laws issued by the participating countries. US companies could register with a program and get certified if they complied with the EU Data Protection Directive and by doing so legally transfer personal data with the guarantee that they provided adequate levels of protection. The seven principles are as follows;
- NOTICE: An organization must inform individuals about the purposes for which it collects and uses information about them.
- CHOICE: An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (a) to be disclosed to a third party.
- ONWARD TRANSFER: To disclose information to a third party, organizations must apply the Notice and Choice Principles.
- SECURITY: Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.
- DATA INTEGRITY: Consistent with the Principles, personal information must be relevant for the purposes for which it is to be used.
- ACCESS: Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate.
- ENFORCEMENT: Effective privacy protection must include mechanisms for assuring compliance with the Principles, recourse for individuals to whom the data relate affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed.
The Safe Harbor Privacy Principles were under review after the European Privacy Campaigner Max Schrems filed complaint against several internet giants, such as Facebook, for collaborating with the NSA’s Prism Program in the wake of Snowden exposing the U.S intelligence surveillance scheme.
Companies who is certified through the Safe Harbor Privacy Principles can self certify whether they comply with the principles after the initial approval and is therefore deemed “unsafe” by the data protection commissioner Viviane Reding.
Another Safe Harbor agreement are believed to be negotiated and set in motion by the end of January 2016, but in the meantime companies who rely on transferring personal data between the participating countries can transfer data using standard EU contracts. This means that the companies themselves are responsible for deciding whether or not them transferring personal data complies with Privacy Laws, and have no certified right to do this otherwise. A company breaching these laws are therefore responsible for the breach and can not refer to any agreement or certification in order to avoid conviction.
Schrems states in response to the ruling:
“This decision is a major blow for US global surveillance that heavily relies on private partners. The judgement makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights.
At the same time this case law will be a milestone for constitutional challenges against similar surveillance conducted by EU member states.”