Safe Harbor is now defunct because the European Court of Justice (ECJ) found the following:
(a) There is no general privacy law or other measures enacted in the USA that shows the USA offers "an adequate level of protection" for personal data relating to European data subjects;
(b) Public law enforcement authorities which obtain personal data from organisations in Safe Harbor are not obliged to follow the Safe Harbor rules after disclosure;
(c) Some USA law enforcement agencies can gain access to personal data in Safe Harbor without having any law that legitimises their access; and
(d) The European Commission knew all the above and knew that personal data were being possibly used for incompatible and disproportionate purposes by law enforcement agencies.
If you think of Article 8(2) of the Human Rights Convention, you will "get" the ECJ Judgment immediately. This Article states that
“There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”
As Snowden leaks showed, there is no law legitimising the interference by the National Security Agencies, so one does not know whether any interference on their part is necessary.
Safe Harbor is unsafe because such agencies in the USA can access personal data without due process, and because the USA has no law that limits the use of personal data by them.
Perhaps the time has come is not for a revamped Safe Harbor (as is promised), but for the USA to adopt a Federal Data Protection Law.
References
Schrems v Facebook: Case C 362/14 http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=81678
The above will be discussed at our all day UPDATE session (Oct 19th; London; £225). Also coming up are our Data Protection Practitioner courses leading to the BCS Qualification in Leeds (starting October 13th) and Edinburgh (starting 2nd Nov). All details on www.amberhawk.com.
USA accords no rights/privacy to non-US citizens. The late CasparBowden told EU Parliament in 2013 youtube.com/watch?v=qa83l2… but European Commission did SFA.
Posted by: PB | 07/10/2015 at 07:58 PM