At first, I expected the European Commission to patch the current Safe Harbor within weeks or months. This is also the approach the European Commission is currently working on.

After a second review of the European Court of Justice's (ECJ) judgment, it will be very hard to come up with a solution that addresses all problems identified by the Court, given the U.S. position. It also seems questionable if a "Safe Harbor 2.0" will have real benefits for U.S. controllers in practice compared to transfer methods under Art 26 of Directive 95/46.

While all issues brought up by the ECJ could be solved in theory, the U.S. government will very likely not be able or willing to limit surveillance laws to an extent that they comply with all requirements of the Charter of Fundamental Rights (CFR) in respect to the right to privacy. To come up with effective judicial protection for non-U.S. persons seems politically impossible, as this was not even possible for U.S. citizens. Even the attempt to enact a Judicial Redress Act and the proposed “Umbrella Agreement” show that the two sides can only reach agreement for very limited safeguards, that are far from what the ECJ now requires.

In addition, a Safe Harbor 2.0 would have to include much stricter limitations for businesses. The times where U.S. companies could get away with Safe Harbor principles (SHPs) (that could be easily circumvented) are over. Any new SHPs must stand the “essentially equivalent” test, if they should survive another challenge at the ECJ. Once this is realized, the interest of businesses in a new Safe Harbor may be rather limited, especially after everyone will have to move to Standard Contractual Clauses and Binding Corporate Rules to bridge the gap period anyway.

Washington will very likely end up choosing between a major reform of U.S. surveillance laws and a redraft of the Safe Harbor program (that will basically need to be a copy/paste from Directive 95/46 in order to have a system that withstands a new ECJ challenge) or simply live with a more burdensome data transfer under Article 26 of Directive 95/46. It would not be unreasonable to pick the second option.

Controllers that can reasonably claim that they are not factually aiding mass surveillance should be able to get away if the national data protection authorities are reviewing data transfers under Art 26. But U.S. controllers which factually comply with the relevant surveillance laws in the U.S. (right now according to the Snowden documents e.g. Apple, Google, Facebook, Yahoo, AOL or Microsoft) the ECJ ruling may require serious reorganization. As the core findings of the ECJ ruling are based on the CFR, they will equally apply to all transfer methods under Art 26 and any new Safe Harbor.

Depending on the situation measures for the relevant U.S. businesses could reach from contractual changes to let data flow differently (e.g. directly from data subjects to the U.S.), separation of U.S. and EU products, sacrificing tax avoidance schemes that involve EU headquarters to avoid EU jurisdiction, all the way to data localization.

Despite contrary initial claims, it seems like major players that are factually involved in programs like PRISM will have to take very complicated and costly measures. At the same time businesses whose core business is not in data processing, may just need to switch to another legal basis for data transfers.

It will be very interesting to watch the dynamics in the coming months. After thinking through the options under the ECJ ruling, it seems that the intended “quick fix” will hardly lead to a new Safe Harbor that provides the necessary legal certainty for controllers. Minding that the two parties have debated for two years to not even get the very weak “13 recommendations” program by the European Commission done, it seems a switch to “alternative” transfer methods under Art 26 will be more reasonable than hoping for a Safe Harbor 2.0.

To read Mr. Schrems' complete analysis of the ECJ decision, click here.

Top photo: Courtesy of Max Schrems.

Will We See a "Safe Harbor 2.0" Soon? by Max Schrems is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Based on a work at http://www.europe-v-facebook.org/EN/Complaints/PRISM/Response/response.html.