Safe Harbor

from Wikipedia, the free encyclopedia
European Union flag

Decision 2000/520 / EC

Title: Commission decision of 26 July 2000 under Directive 95/46 / EC of the European Parliament and of the Council on the adequacy of the protection afforded by the “safe harbor” principles and related “Frequently Asked Questions” (FAQ), submitted by United States Department of Commerce
Designation:
(not official) 		Safe Harbor Agreement
Scope: EEA
Legal matter: Data protection law
Basis: Directive 95/46 / EC , in particular Article 25 paragraph 6
Reference: OJ L 215 of 25.8.2000, pp. 7-47
Full text Basic version
Regulation was declared null and void.
Please note the information on the current version of legal acts of the European Union !

Safe Harbor ( English for "safe haven", sometimes also: Safe Harbor Agreement , Safe Harbor Pact ) is a resolution of the European Commission in the field of data protection law from the year 2000. The resolution should enable companies to to transmit personal data from a country of the European Union to the USA in accordance with the European data protection directive. The designation as an "agreement" comes from the fact that this procedure was agreed with the USA. The Safe Harbor decision was declared invalid by the European Court of Justice (ECJ) through the Schrems I ruling on October 6, 2015. From August 1, 2016, a successor regulation called the EU-US Privacy Shield could be applied, which was also declared unsuitable on July 16, 2020.

Irrespective of this, there is a similar agreement between the United States and Switzerland , which pursues the same purpose with regard to data traffic between these two countries ( US-Swiss Safe Harbor Framework ). However, the Federal Data Protection and Information Commissioner (FDPIC) no longer sees this as a sufficient basis for the transmission of personal data to the USA because of the judgment of the ECJ and has asked the Federal Council to terminate the agreement.

history

The data protection guideline 95/46 / EG basically forbade the transfer of personal data from member states of the European Union to states whose data protection did not have a level of protection comparable to EU law. This also included the United States, because US law does not have any comprehensive legal regulations that would correspond to the standards of the EU in this respect.

A special procedure was developed between 1998 and 2000 so that data traffic between the EU and the USA did not come to a standstill. US companies could join the Safe Harbor and be registered on the relevant list of the US Department of Commerce if they undertook to follow the Safe Harbor Principles and the associated - binding - FAQ .

In the Safe Harbor decision in July 2000, the European Commission recognized that the companies that had joined this system had adequate protection for the personal data of EU citizens.

By September 2015, around 5,500 American companies had signed up to the Safe Harbor Agreement, including IBM , Microsoft , General Motors , Amazon.com , Google , Hewlett-Packard , Dropbox and Facebook .

criticism

The Düsseldorfer Kreis had already declared in April 2010 that data exporters in Germany should not rely on the claims of Safe Harbor certification by US companies and demanded specific minimum standards that would have to be guaranteed and verified when asked by the supervisory authorities.

Since under the USA PATRIOT Act, US security authorities may have to be granted access to data stored in the United States without notifying the data owner, the Safe Harbor Agreement has come under increasing criticism. According to the Independent State Center for Data Protection in Schleswig-Holstein , Safe Harbor is "not worth the paper on which it is written".

After Edward Snowden's revelations , the German data protection officers asked the German government and the European Commission on July 24, 2013 to review the Safe Harbor system and announced that they would not export any data to the USA under the Safe Harbor system until further notice. Allow system.

One day later, on July 25, 2013, it became known that two complaints against Apple and Facebook had not been dealt with before the Irish data protection authority. The Irish data protection authority determined that PRISM had not changed the validity of Safe Harbor and that the question of the legality of the data export to the USA should continue to be based solely on the recipient company's membership of the Safe Harbor list. Furthermore, the authority found that the EU had “foreseen and regulated” data use as early as 2000 as for the PRISM program.

The EU had previously announced on July 19, 2013 a review of Safe Harbor by the end of 2013. In a statement on the decision of the data protection authority in Ireland , the EU Commission stated: "In the light of the publications relating to PRISM, it appears that the data protection requirements under the Safe Harbor Agreement do not meet European standards."

On September 6, 2013, EU Justice Commissioner Viviane Reding announced a reform of EU data protection, in which companies “face fines of up to two percent of global annual sales” if they “transmit data illegally”. With 544 votes in favor, 78 against and 60 abstentions, the MEPs of the European Parliament voted in March 2014 for a suspension of the Safe Harbor Agreement.

Judgment of the European Court of Justice 2015

In September 2015, Safe Harbor received another setback when Advocate General at the European Court of Justice Yves Bot in his Opinion in Case C-362/14 - Schrems / Data Protection Commissioner - found the Commission's Safe Harbor decision non-binding and invalid found. The Irish High Court referred the question to the ECJ for a decision as to whether the Safe Harbor decision prevented the Irish Data Protection Authority from examining a complaint alleging that a third country was not providing an adequate level of protection and, if so, that with the Complaint to suspend contested data transfer. The complainant had specifically objected to the transmission of data via the social network Facebook to the USA.

The Advocate General stated that the Commission was not empowered to limit the powers of the national control authorities. If “systemic deficiencies are found” in a third country, a member state of the European Union “must be able to take the necessary measures to safeguard the fundamental rights protected by the Charter of Fundamental Rights of the European Union , such as the right to respect for private and family life and the right to protect personal data ”. The USA allowed data collections from EU citizens "on a large scale [...] without their having effective judicial protection". The American secret services carried out surveillance that was "massive and untargeted" and therefore not proportionate. It is therefore not sufficient for the Commission to enter into negotiations with the USA to end this encroachment on fundamental rights. It should also have suspended the application of the Safe Harbor Decision.

In its judgment of October 6, 2015, the European Court of Justice followed the Advocate General's Opinion and stated that the Commission's Safe Harbor decision did not prevent the Irish Data Protection Authority from examining whether Facebook would suspend the transmission of user data to the USA. The decision of the European Commission does not preclude this, because the Commission can neither remove nor limit the powers of the national data protection authorities. She lacks the necessary competence.

The European Court of Justice also stated that it alone had ultimately to rule on the validity of a decision by the Commission. In this matter, he came to the conclusion that the Safe Harbor regulation was ineffective, since the US companies that had submitted to it were obliged at any time and without restriction to leave the protection regulations inapplicable and to transfer personal data to the US -American security authorities, "without there are rules in the United States that serve to limit any interference, nor that there is an effective judicial protection against such interference." With this, the court sees the essence of the fundamental rights to respect Violates private life and effective judicial protection. Therefore, the Safe Harbor decision is invalid.

In a joint position paper of the Conference of the Independent Data Protection Authorities of the Federal and State Governments (Data Protection Conference) on October 26, 2015, the German data protection authorities made it clear that a transmission of data based solely on Safe Harbor is now excluded by the judgment of the European Court of Justice be. Such transfers would be prohibited if the authorities became aware of them. New approvals for data transfers based on data export contracts and company regulations would no longer be granted. The view of the British and Irish data protection authorities, according to which the court only declared Safe Harbor ineffective, but not the data export based on EU standard contractual clauses or informed consent , is not shared by the German data protection officers. Repeated, massive and routine data transfers could in principle no longer be covered by consent. This applies in particular to the data of employees or third parties. The legislature was asked to give the data protection authorities their own right of action. In October 2015, the European data protection authorities agreed on a transition period for a new regulation of data transmission to the USA until the end of January 2016. After several months of negotiations, the EU-US Privacy Shield successor agreement was adopted on July 12, 2016 by the European Commission. It could be used between August 1, 2016 and July 16, 2020.

Safe Harbor USA-Switzerland

The Swiss State Secretariat for Economic Affairs (SECO) and the Federal Data Protection and Information Commissioner (FDPIC), together with the USA, have also drawn up a set of rules for Switzerland that is intended to guarantee an adequate level of data protection for the companies certified under it.

The FDPIC stated that with the US-Swiss Safe Harbor Framework , a basis had been created with the USA that would facilitate data transfer with Switzerland and US companies.

After the aforementioned ruling by the European Court of Justice of October 6, 2015 (case C-362/14), the Federal Data Protection and Information Commissioner published a brief statement in which he stated that the agreement between Switzerland and the USA would also be affected by this ruling questioned.

See also

literature

  • Georg Borges : Data transfer to the USA according to Safe Harbor NJW 2015, 3617
  • Alexander Genz: Data protection in Europe and the USA. A comparative legal study with a special focus on the Safe Harbor solution . Zugl .: Gießen, Univ., Diss., 2004. Series: DuD specialist contributions. Wiesbaden: German university publishing house. 2004. ISBN 3-8244-2185-2
  • Dirk Heckmann and Tobias Starnecker, No Land in Sight - The Dilemma of the Safe Harbor Judgment, Juris, Die MONT magazine, 2016, 58
  • Robert Klecha: Data transfers to the USA after the Safe Harbor ruling by the ECJ. An investigation with special consideration of the EU-US Privacy Shield . In: Series of publications on data protection and freedom of information . No. 22 . Publishing house Dr. Kovač, Hamburg 2018, ISBN 978-3-339-10480-9 .
  • Hannes Rathke: Current term: Europe. Invalidity of the Commission decision on the principles of the “safe haven” - ECJ judgment in case C - 362/14 (Schrems) . Scientific service of the German Bundestag. Department of Europe. No. 06/15. October 9, 2015. Retrieved October 15, 2015.

Web links

Individual evidence

  1. a b Decision of the Commission of July 26, 2000 (PDF) in accordance with Directive 95/46 / EC of the European Parliament and of the Council on the adequacy of the principles of the "safe harbor" and the related "Frequently Asked Questions" (FAQ ) Protection provided by the US Department of Commerce. In: Official Journal of the European Communities. August 25, 2000, L215 / 7. Retrieved September 27, 2015.
  2. a b c European Court of Justice: Press Release No. 117/15 (PDF) on the judgment in Case C-362/14 - Maximilian Schrems / Data Protection Commissioner. October 6, 2015. Retrieved October 6, 2015.
  3. a b Judgment in Case C-362/14 - Maximilian Schrems / Data Protection Commissioner of October 6, 2015. , accessed on October 6, 2015
  4. a b Federal Data Protection and Information Commissioner: Conclusion of a Safe Harbor Agreement between Switzerland and the USA ( Memento of the original from September 28, 2015 in the Internet Archive ) Info: The @1@ 2Template: Webachiv / IABot / www.edoeb.admin.ch archive link has been inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. . In: Activity Report No. 26, 2008/2009. Retrieved September 28, 2015.
  5. Press release ( Memento of the original dated December 22, 2015 in the Internet Archive ) Info: The @1@ 2Template: Webachiv / IABot / www.edoeb.admin.ch archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. of the FDPIC.
  6. Report and recommendations to the Federal Council ( memento of the original dated December 22, 2015 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. from October 14, 2015. @1@ 2Template: Webachiv / IABot / www.edoeb.admin.ch
  7. US – EU Safe Harbor List ( Memento of the original from January 7, 2013 in the Internet Archive ) Info: The @1@ 2Template: Webachiv / IABot / safeharbor.export.gov archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. , accessed September 27, 2015.
  8. Resolution of the highest supervisory authorities for data protection in the non-public area on 28/29. April 2010 in Hanover (PDF, revised version of 23 August 2010). Retrieved September 27, 2015.
  9. Jürgen Seeger: Editorial - iX. In: heise.de. October 12, 2011, accessed October 6, 2015 .
  10. Federal Commissioner for Data Protection: Press Release “Safe Harbor” Bremen / Bremerhaven, 24 July 2013 . Retrieved September 28, 2015.
  11. Konrad Lischka: EU subsidiaries: Irish supervisory authority calls data export to the USA legal. In: Spiegel Online . July 25, 2013, accessed October 6, 2015 .
  12. EU to review 'safe harbor' data privacy rule for US companies . In: Financial Times (only readable by subscribers).
  13. Natasha Lomas: Irish Data Protection Agency Smiles On Apple, Facebook Prism Compliance But Europe Is Taking Closer Look At Safe Harbor “Loophole”. In: techcrunch.com. July 25, 2013, accessed October 6, 2015 .
  14. According to PRISM: Europe's data protection now needs priority . europa.eu
  15. NSA: EU Parliament calls for data transmission to the USA to be stopped. In: zeit.de . March 12, 2014, accessed October 6, 2015 .
  16. European Court of Justice: Press Release No. 106/15 . (PDF) Opinion of the Advocate General in Case C-362/14 - Maximilian Schrems v Data Protection Commissioner. September 23, 2015. Accessed September 28, 2015.
  17. Fabian Lohner Waris: Safe Harbor judgment: Reactions from the press, politics, NGOs and associations. In: netzpolitik.org. October 6, 2015, accessed October 6, 2015 .
  18. Position paper of the conference of the independent data protection authorities of the federal and state governments (data protection conference). (No longer available online.) In: www.datenschutz.hessen.de. October 26, 2015, archived from the original on April 23, 2016 ; accessed on June 21, 2016 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / www.datenschutz.hessen.de
  19. ^ Christiane Schulzki-Haddouti: Safe Harbor: German data protection authorities want to partially cut transatlantic data traffic. In: heise online. Retrieved October 27, 2015 (German).
  20. Christiane Schulzki-Haddout: EU data protectionists set ultimatum for Safe Harbor 2.0. In: heise online. October 17, 2015, accessed on February 1, 2016 (German).
  21. European Commission: Press release - European Commission launches EU-US Privacy Shield: better protection for transatlantic data traffic. July 12, 2016, accessed February 18, 2017 .
  22. Federal Data Protection and Information Commissioner: Safe Harbor judgment of the European Court of Justice: Opinion of the FDPIC ( Memento of the original from October 22, 2015 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. . Retrieved October 9, 2015. @1@ 2Template: Webachiv / IABot / www.edoeb.admin.ch