“Safe Harbour” agreements may not be that safe after all…
Safe Harbour agreements between the United States and the European Commission permitted personal data to be transferred to the United States (in principle prohibited since the United States is not considered as offering an adequate level of protection for personal data), provided the US company receiving the data was Safe Harbour-certified. For a company to be certified, it sufficed for it to self-certify, without any verification of any kind being carried out, that it ensured an equivalent level of protection of personal data to that required under European law. The inefficiency of this hypocritical system was fully exposed by the PRISM scandal. In the wake of the scandal, the European Commission issued recommendations which, not surprisingly, remained unheeded.
This is the context in which the ECJ, which was recently (on August 26, 2014) referred to by the High Court of Ireland in a case involving the threat posed to the privacy of European citizens by the surveillance carried out through PRISM, may be induced to review the validity of such agreements.
The economic consequences of any possible invalidation of such agreements would be strong, since it is through this mechanism that many transactions involving transfers of personal data take place between Europe and the United States. It is to be hoped that a reasonable agreement on this topic will be reached, especially at a time when the terrorist threats facing Europe logically prompts tighter surveillance, which will necessarily take place at the cost of personal liberty.
For more information see: Yann Padova, RLDI December 2014 “La Cour de justice de l’Union Européenne va-t-elle invalider les accords Safe Harbour?”