[PC-NCSG] short summary of Safe Harbor for those who are interested
Stephanie Perrin
stephanie.perrin
Sun Oct 18 15:25:03 EEST 2015
The matter of Safe Harbour has come up at this meeting. I am a fan of
Hawktalk, Chris Pounder's blog at http://amberhawk.typepad.com/ [full
disclosure, Chris is a colleague whom I connect with for international
work]. Here are two short analyses of recent ECJ decisions; the first
is the Safe Harbor case and the second is also, I would suggest,
extremely relevant to ICANN wrt European personal data.
cheers Stephanie
06/10/2015
Understanding Safe Harbor, Schrems v Facebook in less than 300
words
<http://amberhawk.typepad.com/amberhawk/2015/10/understanding-safe-harbor-schrems-v-facebook-in-less-than-300-words.html>
Safe Harbor is now defunct because the European Court of Justice (ECJ)
found the following:
(a) There is no general privacy law or other measures enacted in the
USA that shows the USA offers "an adequate level of protection" for
personal data relating to European data subjects;
(b) Public law enforcement authorities which obtain personal data
from organisations in Safe Harbor are not obliged to follow the Safe
Harbor rules after disclosure;
(c) Some USA law enforcement agencies can gain access to personal
data in Safe Harbor without having any law that legitimises their
access; and
(d) The European Commission knew all the above and knew that personal
data were being possibly used for incompatible and disproportionate
purposes by law enforcement agencies.
If you think of Article 8(2) of the Human Rights Convention, you will
"get" the ECJ Judgment immediately. This Article states that
/?There shall be no interference by a public authority with the exercise
of this right except such as is in accordance with the law and is
necessary in a democratic society in the interests of national security,
public safety or the economic well-being of the country, for the
prevention of disorder or crime, for the protection of health or morals,
or for the protection of the rights and freedoms of others?/
As Snowden leaks showed, there is no law legitimising the interference
by the National Security Agencies, so one does not know whether any
interference on their part is necessary.
Safe Harbor is unsafe because such agencies in the USA can access
personal data without due process, and because the USA has no law that
limits the use of personal data by them.
Perhaps the time has come is not for a revamped Safe Harbor (as is
promised), but for the USA to adopt a Federal Data Protection Law.
*References*
/Schrems v Facebook: Case C 362/14
/http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=81678
The above will be discussed at our all day *UPDATE* session (*Oct 19th;
London; ?225*). Also coming up are our *Data Protection Practitioner*
courses leading to the BCS Qualification in *Leeds* (starting October
13th) and *Edinburgh* (starting 2nd Nov). All details on
www.amberhawk.com <http://www.amberhawk.com/>.
Posted at 10:23 PM in Data Protection
<http://amberhawk.typepad.com/amberhawk/data-protection/>, News
<http://amberhawk.typepad.com/amberhawk/news/>, Other Information Law
<http://amberhawk.typepad.com/amberhawk/other-information-law/> |
Permalink
<http://amberhawk.typepad.com/amberhawk/2015/10/understanding-safe-harbor-schrems-v-facebook-in-less-than-300-words.html>
| Comments (1)
<http://amberhawk.typepad.com/amberhawk/2015/10/understanding-safe-harbor-schrems-v-facebook-in-less-than-300-words.html#comments>
02/10/2015
ECJ bombshell! No fair processing notice? No processing.
<http://amberhawk.typepad.com/amberhawk/2015/10/ecj-bombshell-no-fair-processing-notice-no-processing.html>
I think the European Court of Justice (ECJ) has just issued a judgement
which has the potential to be more important than Max Schrems v Facebook
(due on October 6 next week).
The ECJ has just concluded that Articles 10, 11 (the fair processing
requirements of Directive 95/45/EC) and Article 13 (includes the
exemptions from the need to provide a fair processing notice) *must* be
interpreted as precluding national measures which allow a public
administrative body in a Member State to disclose personal data to
another public administrative body for their subsequent processing,
without the data subjects being informed of that disclosure and processing.
This judgment seems to imply that if a fair processing notice does not
describe the purpose of the processing */and/* there is no exemption
from the fair processing obligation then a data controller should not
process personal data for that purpose! Certainly, Government should
not introduce data sharing legislation and ignore the fairness
obligations under the Act (unless there is no applicable exemption from
the fairness obligations). This is the position irrespective of an
Article 7 criterion (i.e. a Schedule 2 ground in the UK Act) for the
processing of personal data.
The Court agreed with the Advocate General that the requirement to
inform the data subjects about the processing of their personal data is
important since it affects the exercise by the data subjects of their
right of access to, and right to rectify, the personal data being
processed (in Article 12 of Directive 95/46), and their right to object
to the processing of those data (in Article 14 of the Directive).
According to the Court, it follows that the fair processing requirements
of personal data as laid out in Article 6 of Directive 95/46/EC (i.e.
the First Principle of the UK DP Act) ?/requires a public administrative
body to inform the data subjects of the transfer of those data to
another public administrative body for the purpose of their processing
by the latter in its capacity as recipient of those data/?.
The Court rejected the idea that because there was a law that allows the
disclosure, then there was no need to provide a fair processing notice.
The Court stated that only reason why one cannot provide a fair
processing notice is when there is an exemption from the obligation
consistent with the conditions laid down in Article 13 of Directive
95/46/EC (which permits Member States to derogate from fairness
obligations flowing from Article 10).
That is why ?/Articles 10, 11 and 13 of Directive 95/46 must be
interpreted as precluding national measures, such as those at issue in
the main proceedings, which allow a public administrative body of a
Member State to transfer personal data to another public administrative
body and their subsequent processing/, */without the data subjects
having been informed of that transfer or processing/*? (my emphasis).
Note that this judgment can be overturned if the Council of Minister?s
version of Article 21 of the General Data Protection Regulation
prevails. This allows Member State law to introduce an exemption from
the fair processing notice with respect to ?/important objectives of
general public interests of the Union or of a Member State/?. As any
government can argue that the reason for enacting /any/ /legislation/ is
to meet ?/important objectives of general public interests?, /then the
Article 21 exception proposed by /any/ Member State legislation can
neuter this new ECJ Judgment.
This is the Third ECJ judgement that the Council of Minister?s version
of the Regulation would overturn; it is yet another indication that the
Directive 95/46/EC might offer better protection to data subjects than
the Regulation.
*References*
Case C-201/14 /Smaranda Bara and Others v Pre?edintele Casei Na?ionale
de Asigur?ri de S?n?tate and Others/:
http://curia.europa.eu/juris/liste.jsf?num=C-201/14 (Sadly the English
version of the Advocate General?s view is not available yet; I would
really like to see what it says).
The above will be discussed at our all day *UPDATE* session (*Oct 19th;
London; ?225*). Also coming up are our *Data Protection Practitioner*
courses leading to the BCS Qualification in *Leeds* (starting October
13th) and *Edinburgh* (starting 2nd Nov). All details on
www.amberhawk.com <http://www.amberhawk.com/>.
My analysis of Article 21, and the other exemptions promoted in the
Council of Minister?s version of Regulation, shows that if this text
prevails the Regulation will weaken protection for data subjects. See
end of
http://amberhawk.typepad.com/amberhawk/2015/08/councils-exceptions-from-the-data-protection-regulation-degrade-the-privacy-protection-below-directive-9546ec.html.
The other two ECJ Judgments that are overturned by the Member State
version of the Regulation:
http://amberhawk.typepad.com/amberhawk/2015/07/council-of-ministers-regulation-text-negates-ecj-rulings-in-lindqvist-and-ryne%C5%A1.html.
Posted at 01:13 AM in Data Protection
<http://amberhawk.typepad.com/amberhawk/data-protection/>, News
<http://amberhawk.typepad.com/amberhawk/news/> | Permalink
<http://amberhawk.typepad.com/amberhawk/2015/10/ecj-bombshell-no-fair-processing-notice-no-processing.html>
| Comments (0)
<http://amberhawk.typepad.com/amberhawk/2015/10/ecj-bombshell-no-fair-processing-notice-no-processing.html#comments>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.ipjustice.org/pipermail/pc-ncsg/attachments/20151018/99731fac/attachment-0001.html>
More information about the NCSG-PC
mailing list