Information commissioner Christopher Graham has urged businesses to start thinking about new data transfer arrangements after Safe Harbour was ruled invalid earlier this month.
Speaking during an online debate on the recent decision, Graham said that the Information Commissioner's Office (ICO) is grappling with the EU ruling just like everyone else, and is aware that it is causing concerns.
“I appreciate the concerns [and] the consequence this decision will have, and the first thing I should say is that we as the data protection authority get it. We know it poses a problem for companies big and small,” he said.
But Graham added that a deadline of the end of January 2016 for a new Safe Harbour 2.0 to be agreed has been put in place, and companies should not ignore this grace period and instead tackle the situation head-on.
“We’re not going to start doing some knee-jerk enforcement [in January] but it is important that data controllers begin to think about what steps they should take to be confident they are entrusting the data of EU citizens to a safe place,” he said.
“If later on in the new year, when various data protection authorities come to call and say ‘What’s happened?’, and the answer is ‘We’re not bothered,' you will be in trouble.”
Graham noted that other data transfer arrangements exist, such as binding corporate rules and model clauses, that could be used to cover data transfers.
Concerns have been raised that if Safe Harbour has now been ruled to not provide adequate data protection, binding corporate rules and model clauses will also be at risk, although Graham downplayed this concern.
“The EU court decision was relating to the legality of the EC decision to recognise the adequacy of Safe Harbour, and that depended on that,” he said. “But the EC’s view doesn’t apply to binding corporate rules and model clauses.”
Graham also noted that a meeting is scheduled to take place on 11 November between US and EU regulators as part of ongoing discussions around the Safe Harbour 2.0 arrangement.
Irish data watchdog on the case
Graham's comments come after the Irish Data Protection Commissioner (DPC) said that it will now investigate the nature of the data Facebook sends from its Irish data centre to the US, after the Safe Harbour ruling.
The DPC had originally refused to investigate as it ruled that the Safe Harbour framework covered Facebook’s data transfers. This led Austrian campaigner Max Schrems to take a case to the High Court in Ireland, which in turn passed it to the EU.
The Irish High Court has now agreed that the DPC can investigate the case, a move welcomed by Irish DPC commissioner Helen Dixon.
"I welcome today's ruling from Judge Hogan which brings these proceedings to a conclusion,” she said. “My office will now proceed to investigate the substance of the complaint with all due diligence."
Facebook has always denied that it ever passed any data to the US government, or that any access is given through ‘backdoors’, and said that it will cooperate with the investigation as required.
"Facebook is not and has never been part of any programme to give the US government direct access to our servers,” a spokesperson said.
“We will respond to enquiries from the Irish DPC as they examine the protections for the transfer of personal data under applicable law.”
Earlier this week the Article 29 Working Party issued the deadline of 31 January, 2016, warning that if no agreement was reached data protection authorities, such as the ICO in the UK, would begin taking action.
“If by the end of January 2016, no appropriate solution is found EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions,” it said.
This effectively means that businesses engaged in transfers to the US will have to hope that new laws are agreed, or adhere to model clauses or binding corporate rules to safeguard data transfers by 31 January.
The stance by the Working Party also places additional pressure on EU and US regulators to hammer out an agreement.
The Working Party urged EU member states and the US to work together to achieve a new model for data transfers, suggesting that the ongoing discussions of ‘a new Safe Harbour’ could be the solution.
The situation is complex, though, as the US has been shown to monitor data on EU citizens gathered by US firms based on the Snowden leaks of 2013. The Working Party wants more safeguards in place to stop this happening.
“Transfers to third countries where the powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations for transfers,” it said.
However, the US is not expected to yield in this area, as it considers monitoring of data central to its intelligence and security operations. As such, it remains to be seen whether a compromise can be reached.
The Working Party also reiterated that any transfers taking place under the Safe Harbour scheme are now “unlawful”.
“Transfers that are still taking place under the Safe Harbour decision
after the European Court of Justice judgement are unlawful."
The statements from the Working Party come after it was forced to hold an emergency meeting earlier this month to try to make sense of the decision by the European Court of Justice (ECJ) to rule Safe Harbour invalid.
The ECJ adopted the same decision reached by the EU attorney general that the Safe Harbour data processing rules initiated in 2000 do not provide enough guarantees that data on EU citizens will remain safe when sent to the US.
The court's Safe Harbour decision (PDF) could mean that tech companies have to store data in the EU, rather than transferring it to the US, or achieve certification for other, more stringent and time-consuming rules regarding data transfers.
“The US authorities were able to access the personal data transferred ... in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security,” said the ruling.
Secondly, the court said that EU citizens had no legal redress to stop their data being misused in this way, and that the rules undermined the power of data protection authorities to rule on data transfers.
“The court finds that the Safe Harbour decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals,” it said.
However, discussions are already taking place between the EU and US to create a new Safe Harbour framework that could replace the now-defunct model.
The ECJ said that it reached its conclusion based on several factors, such as that the US authorities could always “prevail” over Safe Harbour to access data when they deemed it necessary.
The case was brought against Facebook by Austrian resident Max Schrems after the Edward Snowden revelations in 2013 showed how US agencies such as the National Security Agency (NSA) were able to harvest data on EU citizens.
Schrems took his case first to the Irish Data Protection Authority as this is where Facebook is headquartered in the EU. The Irish data protection authority rejected the case, arguing that the Safe Harbour deal with the US was binding.
However, Schrems appealed against this decision in the Irish high court, which in turn asked the ECJ for its opinion, leading to the latest ruling.
He was understandably upbeat after the ECJ's decision.
Facebook, which was not found guilty of any wrongdoing, said that new rules governing data transfers are needed to avoid harming the user experience of its tools.
"Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbour," a spokesperson said.
"It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security."
The ECJ decision was welcomed by Open Rights Group executive director Jim Killock, who called for new rules to protect EU citizens.
“In the face of the Snowden revelations, it is clear that Safe Harbour is not worth the paper it's written on. We need a new agreement that will protect EU citizens from mass surveillance by the NSA.”
Act now or else
Christopher Jeffery, head of UK IT, telecoms and competition at law firm Taylor Wessing, warned that, while other measures governing US data transfers exist, such as binding corporate rules or model clauses, the decision will have far-reaching implications.
“There are alternatives to Safe Harbour, but for most companies they take time and money to put in place and that will be an unwelcome distraction,” he said.
Jeffery added that data protection regulators across Europe are likely to react differently to the ruling. Some, such as the UK or Ireland, will be more lenient, but others, such as Germany, could well act swiftly against infringing firms.
“The key message to businesses is to 'get on it' immediately. Getting model clauses signed, for instance, between affiliates and with key external suppliers should be relatively straightforward and helpful to show they are taking the issue seriously," he said.
"Go for the low-hanging fruit early to show a desire to move towards fuller compliance. Organisations which are slow to react and are seen to be doing nothing risk attracting regulator attention and that is not likely to end well.”
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney
Counterfeit code-signing certificates enabling hackers to hide malware being sold by cyber criminals
Certificates can be used as part of layered obfuscation to evade detection by anti-virus software