In case you missed yesterday’s news—because you were hill walking or unconscious somewhere—the Safe Harbour agreement, which allowed many U.S. companies to import and host EU personal data in the U.S., has been declared invalid. Headlines rushed to herald the end of all EU-U.S. data transfers.
But the truth is Safe Harbor was only ever one mechanism on which multi-nationals relied to transfer data from Europe to the U.S. Many used EU-approved model clauses to allow the data transfers and many business-to-consumer (B2C) companies (including Facebook) routinely collected consent from their users to transfer personal data to the U.S. or elsewhere. Both these options for data transfer as well as BCRs—for those few companies who have them—are still available.
Max Schrems may have won a victory in relation to Safe Harbor but he has lost the war as, presumably, he has still consented to Facebooks’ standard terms, which allow the continued transfer of his data to the U.S.
Unwittingly, Max Schrems may actually have worsened the position for consumers who will now find B2C companies relying more heavily on consumer consent for data transfers to the U.S.
We may not see pop up boxes explicitly stating, “I consent to Facebook transferring my data to the U.S. and sharing it with the NSA,” but deploying annoying pop-up boxes to gain consent for data transfer is an easy option for B2C companies looking for grounds to transfer data.
Consent is often championed by the EU data protection authorities, but, unlike other mechanisms for data transfer, consent shifts all the responsibility onto the consumer and away from the data controller. The consumer has to decide, “How badly do I want this product? Should I agree to these terms?” And most often they will just shrug and say OK.
Once consent has been obtained, the data controller need not consider tiresome issues such as putting in place protocols to protect EU data stored in the U.S. or providing a right of redress for EU individuals in the courts. The consumer has simply traded their EU privacy rights for a product.
How is this possibly a better deal for consumers?
I actually liked Safe Harbor. I found it made U.S. companies think about protecting EU data in a way that alternative mechanisms such as model clauses and consent do not. Senior management had to buy into it and Safe-Harbor training raised awareness amongst staff of the importance of protecting EU data. FTC oversight frightened a lot of U.S. companies into taking their Safe Harbor responsibilities seriously (whatever Max may have thought). Now this leverage is gone.
Sorry Max but I think this one is an own goal. NSA 1. EU data subjects NIL.
photo credit: Fútbol playa via photopin(license)