TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | How Max Schrems Scored an Own Goal by Toppling Safe Harbor Related reading: With Safe Harbor Invalid, What's Next for Privacy Pros?




In case you missed yesterday’s news—because you were hill walking or unconscious somewhere—the Safe Harbour agreement, which allowed many U.S. companies to import and host EU personal data in the U.S., has been declared invalid. Headlines rushed to herald the end of all EU-U.S. data transfers.

But the truth is Safe Harbor was only ever one mechanism on which multi-nationals relied to transfer data from Europe to the U.S. Many used EU-approved model clauses to allow the data transfers and many business-to-consumer (B2C) companies (including Facebook) routinely collected consent from their users to transfer personal data to the U.S. or elsewhere. Both these options for data transfer as well as BCRs—for those few companies who have them—are still available.

Max Schrems may have won a victory in relation to Safe Harbor but he has lost the war as, presumably, he has still consented to Facebooks’ standard terms, which allow the continued transfer of his data to the U.S.

Unwittingly, Max Schrems may actually have worsened the position for consumers who will now find B2C companies relying more heavily on consumer consent for data transfers to the U.S.

We may not see pop up boxes explicitly stating, “I consent to Facebook transferring my data to the U.S. and sharing it with the NSA,” but deploying annoying pop-up boxes to gain consent for data transfer is an easy option for B2C companies looking for grounds to transfer data.

Consent is often championed by the EU data protection authorities, but, unlike other mechanisms for data transfer, consent shifts all the responsibility onto the consumer and away from the data controller. The consumer has to decide, “How badly do I want this product? Should I agree to these terms?” And most often they will just shrug and say OK.

Once consent has been obtained, the data controller need not consider tiresome issues such as putting in place protocols to protect EU data stored in the U.S. or providing a right of redress for EU individuals in the courts. The consumer has simply traded their EU privacy rights for a product.

How is this possibly a better deal for consumers?

I actually liked Safe Harbor. I found it made U.S. companies think about protecting EU data in a way that alternative mechanisms such as model clauses and consent do not. Senior management had to buy into it and Safe-Harbor training raised awareness amongst staff of the importance of protecting EU data. FTC oversight frightened a lot of U.S. companies into taking their Safe Harbor responsibilities seriously (whatever Max may have thought). Now this leverage is gone.

Sorry Max but I think this one is an own goal. NSA 1. EU data subjects NIL.

photo credit: Fútbol playa via photopin (license)


If you want to comment on this post, you need to login.

  • comment Jay Libove • Oct 8, 2015
    Consent is not so easily given under European data protection law, where the consent is not truly freely given, or the user/consumer/citizen cannot be reasonably expected to understand the consequences. 
    As a concrete example, if someone would like to comment please from a better informed legal perspective than my educated layman's thoughts, wouldn't it be by definition not freely given consent for a European citizen who has been permitting his personal data to be transferred to the US under Safe Harbour, to suddenly receive a pop-up saying "Give consent (or lose your account)"?
    So, while undoubtedly many websites will pop up 'consent' notices and most users will simply click through them, I would strongly hesitate to assume that such 'consent' would be considered valid against future legal challenges.
  • comment Gonca Dhont, CIPP/E • Oct 8, 2015
    Indivuduals' rights to privacy in the EU (and not only consumers, I like to word 'citizens' better when I speak of EU Privacy)  cannot be waivered by the same individuals' giving consent to some business practises. In other words; a controller should not feel really secured just because the consent is there. In any case, consent is the most controversial tool a business can rely on. Not only us but also regulators are also aware that people are shrugging and ticking the consent box just to get that (so-called) free service.
  • comment Stefan Keller • Oct 9, 2015
    I think you over-simplify a bit - e.g.  consent can be revoked,  and this is quite hard to deal with..
  • comment Stefan Keller • Oct 9, 2015
    Consent can be revoked. - This in itself makes life considerably harder.