The monthly law journal which covers all aspects of data protection and data privacy: data transfer & outsourcing, marketing and e-marketing, freedom of information (FOI), employee monitoring, privacy compliance, online data acquisition and consent, personal data, website compliance and emerging technologies such as behavioural advertising, cloud computing and smart grids. / read more
Let me put this straight: I believe that in the internet age a law that places an outright prohibition on dataflows on the basis of geography is a bad law. Digital information is naturally immune to jurisdictional barriers because the wired and wireless networks it inhabits were created to be global. So placing jurisdictional restrictions on the flow of that information is both unrealistic and ineffective, as the focus shifts from protecting the information irrespective of its location onto how to overcome those artificial restrictions. Yet many laws around the world - old and new - create such barriers in an attempt to preserve the protection afforded to that data in their home jurisdiction. For more than 20 years, Europe has led the charge on this front and the forthcoming data protection regulation is set to preserve the same regime for another 20 years.
Safe Harbor was borne out of the need to overcome the restriction on transfers of personal data from the EU to the US. For decades, Safe Harbor has tried to apply European concepts and principles to a self-regulatory framework that was exclusively available to US corporations. In some cases, Safe Harbor has served as a blueprint for global compliance programmes, whilst in others it has merely been a convenient mechanism to deal with European legal eccentricities. All in all, Europe has always been cynical about the ability of Safe Harbor to deliver European standards of protection to data transferred under it.
Enter Snowden and it was obvious that Safe Harbor was going to be a target of Europe’s anger at America's digital surveillance activities. Fast forward the clock to today and Safe Harbor’s future lies in peril at the hands of a court that has consistently ruled against anything that was perceived to threaten Europe's fundamental rights to privacy and data protection. For what it’s worth, the Court of Justice of the European Union (‘CJEU’) case on the status and validity of Safe Harbor, is not a case against the US technology industry or the ability of the European Commission to agree the right standards of protection. It is a judgment on the level of interference with fundamental rights by the US Government and, as we all know, the CJEU has set a very high bar when it comes to dealing with fundamental rights.