This week on NVTC’s Blog, Host in Ireland’s President and Founder Garry Connolly discusses Safe Harbor, a policy agreement that regulated the way that U.S. companies export and handle the personal data of European citizens.
In Nov. 2000, the United States Department of Commerce and the European Union established Safe Harbour, a policy agreement established between that regulated the way that U.S. companies export and handle the personal data of European citizens. This enabled American technology companies to compile data generated by their European clients in web searches, social media posts and other activities online.
In 2015, a major issue with the agreement is the collection of personal data that people create when they post something on Facebook or other social media, when they conduct searches on Google, or when they order products or buy movies from Amazon or Apple. Such data is invaluable to companies, which use the information for a broad range of commercial purposes, including tailoring advertisements to individuals and promoting products or services based on users’ online activities.
Safe Harbour, regarding data transfer, does not apply solely to tech companies or online retail, however. It also affects any organization with international operations, such as when a company has employees in more than one country and needs to transfer payroll information, or allow workers to manage their employee health benefits online.
So how did we get from data concerning your preference for wool socks over cotton or your interest in purchasing season four of “Game of Thrones” to controversial issues concerning Europeans’ privacy rights and U.S. national security interests?
As Helen Dixon, Ireland’s Data Protection Commissioner, pointed out in a statement issued by her Office, the issues dealt with in the decision by the Court of Justice of the European Union (ECJ) to invalidate the “Safe Harbour” system, under which companies transfer customer data from Europe to the United States, are “complex.” She elaborated, saying that the issues “will require careful consideration” and “what is immediately clear is that the Court has reiterated the fundamental importance attaching to the right of individuals to the protection of their personal data. That is very much to be welcomed.”
The ruling by the ECJ found that the Safe Harbour agreement is flawed because it allowed American government authorities to gain access to Europeans’ online information. The court said leaks from Edward J. Snowden, the former contractor for the National Security Agency (NSA), made it clear that American intelligence agencies had access to the data, infringing on Europeans’ rights to privacy.
The issue came to head when Max Schrems, a 27-year-old graduate student living in Austria, argued that Europeans’ online data was misused by Facebook because it cooperated with the NSA’s Prism program. Prism, in part, involved the U.S. Federal government’s collection of information on Europeans, gathered from the world’s largest Internet companies, in search of national security threats. An interesting side note is that Schrems originally filed his complaint with the Irish Data Protection Commissioner, since it is the privacy regulator for Facebook outside the U.S. because the Company’s European headquarters are located in Dublin. He eventually took his case to the Irish High Court, which referred it to the ECJ in July of last year. Following the ECJ judgment, the Irish court is expected to rule that the Irish Data Protection Commissioner must investigate his complaint properly and decide whether to suspend such data transfers.
As many large American tech companies have set up their overseas headquarters in Ireland, the Irish government has been supportive of Safe Harbour. However, Helen Dixon has begun discussions with her data protection counterparts in other European Union member countries to best determine how the ECJ’s judgment can be “implemented in practice, quickly and effectively” as it impacts European to U.S. data transfers, Host in Ireland is confident that procedures can be established that continue to support the thriving digital economy, respects individuals’ right to privacy, and ensures the safety and protection of our global community, both home and abroad.
Interested in learning more about data protection? Join NVTC, Host in Ireland, and Helen Dixon for an event on April 7, 2016 at the National Conference Center. Please email firstname.lastname@example.org for details.