Safe (Harbour) is dead

On Tuesday, 6th October this year, Austrian law student, Max Schrems, successfully won his case in the European Union's top court. Safe Harbour was declared as invalid and unsafe.

And it all comes crashing down. To be fair there was concerns about Safe Harbour for some time and attempts to patch it have been made and are under way.


What is Safe Harbour anyway and why do we care?


Our personal information has various protections across the world (or none). In the EU we have the Data Protection Directive.

When we pass over personal information to companies we expect it to be used for the intended purpose we gave it for, to be kept safe and not to be passed on to others without our knowledge and consent, for example to marketing companies.

The EU directive explicitly states that everyone has the right to have their personal information protected but this is not always the case when the company or your information is located internationally.

Safe Harbour was introduced to try protect EU citizens when their data is passed to US companies. It seeks to ensure that there are similar protections in place as could reasonably be expected from an EU company. This is managed in the USA by the Federal Trade Commission.

But Max Schrems alleged that his rights under the Data Protection Directive were being infringed by Facebook because Facebook is required to hand data, including his own, over to the National Security Agency (NSA) in the USA. This practice was revealed by Edward Snowden.

What this was saying is that Facebook where not providing the expected levels of protection Max Schrems could expect as an EU citizen.

On winning his case Max Schrems said "The judgment makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights."

And so it should be.

US interpretation of Privacy


The implication of having to have an agreement in place between the USA and EU is that the USA does not take privacy seriously.

However privacy is important in the USA however it does not have the same meaning and legal protections as is available in the EU.

For instance the USA has a "right to be let alone" however this only relates to press printing information about people against the public need to know that information. This therefore protects the right to free thought and speech against the damage of reputation to the individual and their "property", i.e. their personal name, reputation etc.

Any legislation that the USA does have is more about putting  a duty on the company to declare their practices rather than limit their activities with the data.

The only legal protection of personal information in the US is specifically around children online (COPPA), Financial transactions (in so far as declaring information sharing practices) under the Gramm-Leach-Bliley Act, and health data (HIPAA) but again is about declaring personal data handling practices than limiting its use and sharing. There is however a presumption of protection and not unduly sharing.

The National Institute for Standards and Technology (NIST) has drawn up best practice guides for the definition and protection of personal data however this is not a legal requirement and therefore is only picked up by companies as and when required to further their commercial aspirations in trading with EU companies and citizens. This might be too simplistic a view however is highlights that without compulsion there are lower take up rates of protections. After all why increase costs when you don't have to?

Future


Whilst the dust must now settle, it is too early to truly declare Safe Harbour dead and buried. This ruling just mean more scrutiny and increased safeguards being introduced for sharing personal data between the EU and the US.

As the FTC chairwoman, Edith Ramierez, say's "we share the commitment of our EU counterparts to protect consumers' personal information and privacy".

The chair of the European Parliament Civil Liberties Committee, Claude Moraes, has also stated that "The Commission must immediately put forward a new complete and strong framework for transfers of personal data to the US which complies with requirements of EU law as enshrined in the Charter of Fundamental Rights and EU data protection rules and provide our citizens with solid, enforceable data protection rights and effective independent supervision"

So the EU and the USA will want to ensure trade is preserved and will no doubt work together to enhance or introduce new agreements.

Companies implement many governance processes to protect their employees from a health and safety perspective, to protect from financial misappropriate of funds (internally or externally) etc however we need to move to a position where personal data is seen in the same light, afforded the same attention and protection and is assumed as a fundamental duty on all companies and employees.

Personal information is owned by us but given to companies with the expectation of good stewardship of our information.

This court case and the ongoing theft of personal information that we unfortunately hear about all the time must be seen a warning to us all and a rally cry to do more for the data we hold and to demand more from those we give our information to.

Unfortunately too many of us do not value our personal information otherwise we would not be so free in giving it away for all sorts of commercial offers, subscriptions etc without understanding and demanding appropriate protection.

Please do like, share or comment so we can debate this important topic.

Comments

Popular posts from this blog

Invading neighbours privacy

Outlook tip for Calendar Management

Editing emails... after sending them