Yesterday I wrote about the impact the collapse of Safe Harbour would have on organisations who worked under the protection of that framework.
Today, with the great benefit of hindsight, as well as some interesting developments over the past 24 hours, I want to discuss some of the more political ramifications of the ECJ's decision.
Was Safe Harbour known to be 'unsafe' before yesterday?
In short, yes. The ECJ's decision was expected since the Advocate General's (AG) position on the matter some two weeks previously. The AG effectively ruled that Safe Harbour was invalid, and unable to provide an adequate level of protection for personal data.
In addition, the AG, Bot, also found, and this is a key point that instigated Max Schrem's appeal against the Irish Data Protection Commissioner, that national regulators have always had the power to find Safe Harbour invalid.
The reason why the Advocate General, and in turn the ECJ have got involved is because the then Irish Data Protection Commissioner, Billy Hawkes, had, under legal advice, stated that he did not have the power to challenge the validity of Safe Harbour. This was on the back of Max Schrem's complaint about Facebook giving access to European citizen data to Federal authorities in the U.S.
However, we can go further back again to find clear signs that Safe Harbour was in trouble.
The first sign related to the revelations of the infamous whistleblower, Edward Snowden. His explosive disclosure about the degree of data sharing and access provided by U.S. multi-nationals to the NSA and other Federal authorities set off the first concerns around the adequacy of Safe Harbour.
Indeed as far back as 2013, the E.U. Commission began negotiations with the U.S. on re-structuring Safe Harbour, to ensure that it could be fit for purpose. As such, the necessary authorities have been 'on the case' so to speak, but the ECJ's announcement will surely focus minds on moving this on.
How does this affect the General Data Protection Regulation?
Yesterday, the German Data Protection Authority blasted a broadside to their Irish counterparts, stating that the latter put 'blind trust' in Safe Harbour. To be honest, that was a harsh critique considering:
1. The Irish Data Protection Commissioner was given legal advice that there was no mechanism to challenge Safe Harbour by his institution. Indeed the highest court in the land passed it to the ECJ for decision;
2. No other regulator challenged either, including Germany, at any point over the years.
To be frank, that statement from the German authorities, yesterday, should be seen in the political light of tricky negotiations around the 'One-Stop-Shop' idea in the GDPR. There is a lot of disquiet, stemming from the Max Schrems case, that a single authority would represent citizens from another country in the E.U. on matters of such significance.
Whether there is a trust issue at play here or not, this thorny issue needs to get resolved, and it certainly seems to be the case that the more democracy is applied to the solution, the more cumbersome it will become.
Whether this becomes THE issue which delays a final agreed draft of the GDPR, or not, will become evident throughout the rest of this year.
What about Facebook?
Of course the whole starting point that got us to yesterday is Facebook and their transfer of data to the U.S. The Irish Data Protection Commissioner, headed by Helen Dixon since late last year, will now likely have to initiate a full and thorough audit of Facebook, around the nature and scope of this transfer.
This could possibly mean that Facebook users throughout the E.U. may see some form of functionality restrictions, or service issues, until such time as Facebook are able to put in place appropriate redundancies and process re-alignments, all of which will likely require some oversight by Helen Dixon.
What about everyone else?
I have read a lot, and indeed wrote yesterday, about Model Contracts. There seems to be an expectation that this is the panacea for all ills. In part it is, but the Model Contract is a template, which covers core aspects to protect the rights of Data Subjects only. With the absence of Safe Harbour, organisations are going to have to implement much tighter controls and oversight around the personal data within their remit, and reflect that not just in contracts, but also in practice. And this is where the big costs will come for those not currently living in that reality.
My suspicion is that the true cost of implementing these controls, as well as understanding what reputational risks exist when not having these controls in place, are something most organisations have no visibility on right now.