[PC-NCSG] short summary of Safe Harbor for those who are interested

Stephanie Perrin stephanie.perrin
Sun Oct 18 15:25:03 EEST 2015


The matter of Safe Harbour has come up at this meeting.  I am a fan of 
Hawktalk, Chris Pounder's blog at http://amberhawk.typepad.com/ [full 
disclosure, Chris is a colleague whom I connect with for international 
work].  Here are two short analyses of recent ECJ decisions; the first 
is the Safe Harbor case and the second is also, I would suggest, 
extremely relevant to ICANN wrt European personal data.
cheers Stephanie



    06/10/2015


      Understanding Safe Harbor, Schrems v Facebook in less than 300
      words
      <http://amberhawk.typepad.com/amberhawk/2015/10/understanding-safe-harbor-schrems-v-facebook-in-less-than-300-words.html>

Safe Harbor is now defunct because the European Court of Justice (ECJ) 
found the following:

(a)    There is no general privacy law or other measures enacted in the 
USA that shows the USA offers "an adequate level of protection" for 
personal data relating to European data subjects;

(b)    Public law enforcement authorities which obtain personal data 
from organisations in Safe Harbor are not obliged to follow the Safe 
Harbor rules after disclosure;

(c)    Some USA law enforcement agencies can gain access to personal 
data in Safe Harbor without having any law that legitimises their 
access; and

(d)   The European Commission knew all the above  and knew that personal 
data were being possibly used for incompatible and disproportionate 
purposes by law enforcement agencies.

If you think of Article 8(2) of the Human Rights Convention, you will 
"get" the ECJ Judgment immediately. This Article states that

/?There shall be no interference by a public authority with the exercise 
of this right except such as is in accordance with the law and is 
necessary in a democratic society in the interests of national security, 
public safety or the economic well-being of the country, for the 
prevention of disorder or crime, for the protection of health or morals, 
or for the protection of the rights and freedoms of others?/

As Snowden leaks showed, there is no law legitimising the interference 
by the National Security Agencies, so one does not know whether any 
interference on their part is necessary.

Safe Harbor is unsafe because such agencies in the USA can access 
personal data without due process, and because the USA has no law that 
limits the use of personal data by them.

Perhaps the time has come is not for a revamped Safe Harbor (as is 
promised), but for the USA to adopt a Federal Data Protection Law.

*References*

/Schrems  v Facebook: Case C 362/14 
/http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=81678

The above will be discussed at our all day *UPDATE* session (*Oct 19th; 
London; ?225*).  Also coming up are our *Data Protection Practitioner* 
courses leading to the BCS Qualification in *Leeds* (starting October 
13th) and *Edinburgh* (starting 2nd Nov). All details on 
www.amberhawk.com <http://www.amberhawk.com/>.

Posted at 10:23 PM in Data Protection 
<http://amberhawk.typepad.com/amberhawk/data-protection/>, News 
<http://amberhawk.typepad.com/amberhawk/news/>, Other Information Law 
<http://amberhawk.typepad.com/amberhawk/other-information-law/> | 
Permalink 
<http://amberhawk.typepad.com/amberhawk/2015/10/understanding-safe-harbor-schrems-v-facebook-in-less-than-300-words.html> 
| Comments (1) 
<http://amberhawk.typepad.com/amberhawk/2015/10/understanding-safe-harbor-schrems-v-facebook-in-less-than-300-words.html#comments> 



    02/10/2015


      ECJ bombshell! No fair processing notice? No processing.
      <http://amberhawk.typepad.com/amberhawk/2015/10/ecj-bombshell-no-fair-processing-notice-no-processing.html>

I think the European Court of Justice (ECJ) has just issued a judgement 
which has the potential to be more important than Max Schrems v Facebook 
(due on October 6 next week).

The ECJ has just concluded that Articles 10, 11 (the fair processing 
requirements of Directive 95/45/EC) and Article 13 (includes the 
exemptions from the need to provide a fair processing notice) *must* be 
interpreted as precluding national measures which allow a public 
administrative body in a Member State to disclose personal data to 
another public administrative body for their subsequent processing, 
without the data subjects being informed of that disclosure and processing.

This judgment seems to imply that if a fair processing notice does not 
describe the purpose of the processing */and/* there is no exemption 
from the fair processing obligation then a data controller should not 
process personal data for that purpose!  Certainly, Government should 
not introduce data sharing legislation and ignore the fairness 
obligations under the Act (unless there is no applicable exemption from 
the fairness obligations).  This is the position irrespective of an 
Article 7 criterion (i.e. a Schedule 2 ground in the UK Act) for the 
processing of personal data.

The Court agreed with the Advocate General that the requirement to 
inform the data subjects about the processing of their personal data is 
important since it affects the exercise by the data subjects of their 
right of access to, and right to rectify, the personal data being 
processed (in Article 12 of Directive 95/46), and their right to object 
to the processing of those data (in Article 14 of the Directive).

According to the Court, it follows that the fair processing requirements 
of personal data as laid out  in Article 6 of Directive 95/46/EC (i.e. 
the First Principle of the UK DP Act) ?/requires a public administrative 
body to inform the data subjects of the transfer of those data to 
another public administrative body for the purpose of their processing 
by the latter in its capacity as recipient of those data/?.

The Court rejected the idea that because there was a law that allows the 
disclosure, then there was no need to provide a fair processing notice. 
  The Court stated that only reason why one cannot provide a fair 
processing notice is when there is an exemption from the obligation 
consistent with the conditions laid down in Article 13 of Directive 
95/46/EC (which permits Member States to derogate from fairness 
obligations flowing from Article 10).

That is why ?/Articles 10, 11 and 13 of Directive 95/46 must be 
interpreted as precluding national measures, such as those at issue in 
the main proceedings, which allow a public administrative body of a 
Member State to transfer personal data to another public administrative 
body and their subsequent processing/, */without the data subjects 
having been informed of that transfer or processing/*? (my emphasis).

Note that this judgment can be overturned if the Council of Minister?s 
version of Article 21 of the General Data Protection Regulation 
prevails.  This allows Member State law to introduce an exemption from 
the fair processing notice with respect to ?/important objectives of 
general public interests of the Union or of a Member State/?.  As any 
government can argue that the reason for enacting /any/ /legislation/ is 
to meet ?/important objectives of general public interests?, /then the 
Article 21 exception proposed by /any/ Member State legislation can 
neuter this new ECJ Judgment.

This is the Third ECJ judgement that the Council of Minister?s version 
of the Regulation would overturn; it is yet another indication that the 
Directive 95/46/EC might offer better protection to data subjects than 
the Regulation.

*References*

Case C-201/14 /Smaranda Bara and Others v Pre?edintele Casei Na?ionale 
de Asigur?ri de S?n?tate and Others/: 
http://curia.europa.eu/juris/liste.jsf?num=C-201/14 (Sadly the English 
version of the Advocate General?s view is not available yet; I would 
really like to see what it says).

The above will be discussed at our all day *UPDATE* session (*Oct 19th; 
London; ?225*).  Also coming up are our *Data Protection Practitioner* 
courses leading to the BCS Qualification in *Leeds* (starting October 
13th) and *Edinburgh* (starting 2nd Nov). All details on 
www.amberhawk.com <http://www.amberhawk.com/>.

My analysis of Article 21, and the other exemptions promoted in the 
Council of Minister?s version of Regulation, shows that if this text 
prevails the Regulation will weaken protection for data subjects.  See 
end of 
http://amberhawk.typepad.com/amberhawk/2015/08/councils-exceptions-from-the-data-protection-regulation-degrade-the-privacy-protection-below-directive-9546ec.html.

The other two ECJ Judgments that are overturned by the Member State 
version of the Regulation: 
http://amberhawk.typepad.com/amberhawk/2015/07/council-of-ministers-regulation-text-negates-ecj-rulings-in-lindqvist-and-ryne%C5%A1.html.

Posted at 01:13 AM in Data Protection 
<http://amberhawk.typepad.com/amberhawk/data-protection/>, News 
<http://amberhawk.typepad.com/amberhawk/news/> | Permalink 
<http://amberhawk.typepad.com/amberhawk/2015/10/ecj-bombshell-no-fair-processing-notice-no-processing.html> 
| Comments (0) 
<http://amberhawk.typepad.com/amberhawk/2015/10/ecj-bombshell-no-fair-processing-notice-no-processing.html#comments> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.ipjustice.org/pipermail/pc-ncsg/attachments/20151018/99731fac/attachment-0001.html>



More information about the NCSG-PC mailing list