The Harbor is No Longer Safe
As a child in the 60’s, I remember reading Hildegarde Swift’s classic children’s story “The Little Red Lighthouse and the Great Gray Bridge.” As the story begins, the Little Red Lighthouse is so proud! With his light and fog bell, he warns the ships that are passing by of the nearby rocks.
To his dismay, men build a Great Gray Bridge right next to him! With all of the lights on the bridge to guide the ships, the Little Red Lighthouse feels that he is no longer needed and begins to despair.
One night, a dense fog rolls and the boats in the river are unable to see the lights on the Great Gray Bridge. A tugboat crashes on the rocks. The bridge calls to the lighthouse and tells him that he is still needed! The man comes, lights his little light, sounds his little fog bell and saves the other ships. The Little Red Lighthouse is proud once again.
In 1995, the European Union adopted Directive 95/46/EC (The Data Protection Directive). This directive regulates the processing of personal data within the European Union and is a key component of privacy and human rights law within the EU. Protecting “personal data” of the individual citizen is paramount in the EU, and the definition of “personal data” is by design extremely broad:
"any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;" (art. 2 a)
Like the Little Red Lighthouse, the Data Protection Directive helped member countries navigate the rocky rivers of protecting the personal data of their citizens. It did its job well.
Enter the internet age, the global economy age, the “big data” age. Data was (and is) no longer static, residing on individual workstations. It exists “in the cloud”, a formless, location-less place data flows into and out of without respect to lines drawn on a map.
So men came and built a Great Grey Bridge. Instead of a single light and fog bell, the bridge had many lights intended to guide the boats. One of the brightest lights was called the “Safe Harbor” framework. This framework enabled the transfer of personal data to “Third Countries,” or any country outside the EU; most specifically the United States. Seven principles regarding the flow of personal data were created:
1. Notice—data subjects should be given notice when their data is being collected;
2. Purpose—data should only be used for the purpose stated and not for any other purposes;
3. Consent—data should not be disclosed without the data subject’s consent;
4. Security—collected data should be kept secure from any potential abuses;
5. Disclosure—data subjects should be informed as to who is collecting their data;
6. Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
7. Accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles.
Then the fog blew in. The world found out that the flowing river was itself being monitored by the NSA. Data that was supposed to remain private was being collected, filtered and analyzed in direct opposition to the principles of privacy in the EU. Boats began to crash.
On September 23rd, the Advocate General of the Court of Justice of the European Union (CJEU) Yves Bot issued a blistering opinion regarding the failure of the Safe Harbor framework to protect the privacy rights of EU citizens (emphasis mine). On October 6th, the CJEU concurred with the opinion and has ruled Safe Harbor to be invalid.
“III – Conclusion
237. In the light of the foregoing, I propose that the Court should answer the questions referred by the High Court as follows:
Article 28 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that the existence of a decision adopted by the European Commission on the basis of Article 25(6) of Directive 95/46 does not have the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data.
Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the Department of Commerce of the United States of America is invalid.”
Time to find the keys, light the little light, and ring the fog bell.
P.S. “The Little Red Lighthouse and the Great Gray Bridge” is a tale about a real lighthouse that is still in existence on the Hudson River in New York City. Go see it for yourself. It’s in the Fort Washington Park sitting under the George Washington Bridge. And buy the book for your children!
Click the button below to read a Safe Harbour Q&A with Inventus’ Nicola Avery-Gee.