EU Court invalidates Safe Harbor Arrangement – repercussions for Israel
Recently, an official announcement was issued on behalf of the Law, Information and Technology Authority of the Israeli Ministry of Justice (“ILITA“), as a result of the ruling of the European Union’s Court of Justice invalidating the Safe Harbor Arrangement governing transfers of personal information from Europe to the United States – at this stage, the transfer of personal information from Israel to organizations in the United States on the basis of that arrangement is prohibited.
The key points in the announcement of ILITA:
Transfers of personal information outside of EU member countries
According to the principles specified in the provisions of the European directive regarding protection of personal information – the transfer of personal information outside the borders of European Union member countries is prohibited, except for specific exceptions, including transfers of information to a country that the European Union has deemed as providing an adequate level of protection for personal information.
The Safe Harbor Arrangement
The decision of the EU Commission of July 26, 2000 prescribed that American corporations included in a Safe Harbor Arrangement, guarantee an adequate level of protection of personal information. According to the arrangement concluded between the U.S. Department of Commerce and the European Commissioner, an American organization desiring to be included in the arrangement must undertake strict principles for safeguarding personal information similar to the requirements of the European law and subject to the provisions of the European Directive.
The Safe Harbor Arrangement enabled those same thousands of American companies sheltered under it (including such companies as Google, Facebook, Amazon and Microsoft) to transfer personal information about EU citizens from Europe to the United States, for the purposes of processing, saving and storage.
Ruling of the European Union’s Court of Justice
In the wake of the revelations that were made following the Edward Snowden exposé in 2013 about how U.S. intelligence agencies are making use of information, an Austrian citizen, Maximilian Schrems, who was a Facebook user, filed a complaint with the Data Protection Commission in Ireland alleging that American law and practice are failing to provide adequate protection against American authorities’ monitoring of information being transferred to the United States, including European users’ information stored in Facebook’s servers located in the United States.
The Irish Data Protection Commission rejected the complaint, based mainly on the aforesaid EU Commission Decision, which approved the Safe Harbor Arrangement. In light of this, the aforesaid complaint was referred to the European Union Court of Justice.
In its judgment of October 6, 2015, the European Court of Justice stated that, according to U.S. law, American companies’ commitment to comply with the Safe Harbor principles concerning use of information do not apply to public and government authorities in the United States, and therefore – American authorities’ demands for disclosure of information, on the grounds of national security or public interest, that are being issued to American companies, are compelling American companies to disclose personal information, even when such demands violate the provisions of the Safe Harbor Arrangement.
The court ruled that, notwithstanding the provisions of the European Directive, the U.S. law enables the authorities there to access and process personal data in a manner that has no bearing on the purposes for which the information was collected, and that far exceeds what is strictly necessary and proportionate. According to the court ruling, the law in the United States cannot be defined as proportional, since it grants agencies authorities that are too sweeping, such as the authority to access and store all personal information of any kind of all persons whose data has been transferred from EU member countries, indiscriminately, without any restrictions or exceptions being made in the context of the objective pursued, and without prescribing criteria for setting limits to the government authorities’ access to data, and to their ability to make subsequent use thereof. According to the court’s line of reasoning, the legislation that grants blanket authorization to government authorities to access content of communicated messages – constitutes a material violation of the fundamental right to privacy.
The court also stated that the U.S. law does not provide individuals any means of legal redress or of exercising their right to peruse personal data that is being stored about them in the United States, and thus, the U.S. law is prejudicing the fundamental right to effective judicial protection of their rights to privacy.
In view of the aforegoing, the European Court has ruled that the EU Commission Decision approving the Safe Harbor Arrangement is invalid. Subsequently, the court also ordered the Irish Data Protection Commission to re-examine the complaint submitted to it and to ascertain whether it is warranted to suspend transfers of information of European Facebook users to the United States, on the grounds that it is impossible to guarantee adequate protection of this information.
Repercussions of the European ruling on the privacy protection regime in Israel
The Privacy Protection Regulations prohibit any cross-border transfer of information from a database in Israel, unless the local law of the recipient country guarantees a level of protection for the information that is not inferior to the level of protection under Israeli law, or unless one of the exceptions specified in the sub-sections of section 2 of the Regulations applies.
One of the exceptions, specified in Regulation 2(8)(2), prescribes that personal information may be transferred from Israel to a foreign country to which the European Union permits information transfers.
In light of the EU Commission Decision, which states that organizations that are committed to the principles of the Safe Harbor Arrangement are providing an “adequate level of protection” for personal information, as this term is defined in section 25(2) of the European Directive – the position of ILITA had been – up until now – that these companies fall within the scope of the exception that enables transfers of personal information from Israel pursuant to Regulation 2(8)(2) of the Regulations.
Now, ILITA is stating in its announcement that, as a result of the above ruling of the European court, its position at this stage is that it is no longer possible to rely on this exception in the Regulations as a basis for justifying transfers of personal information from Israel to organizations in the United States.
Given that the Safe Harbor Arrangement is no longer valid pursuant to European law, and for as long as some other valid arrangement is not put into place, or until such time as the European Union issues another official decision pertaining to information transfers from European Union member countries to destinations in the United States, database owners who want to transfer personal information from Israel to organizations in the United States are required to examine whether they can justify the information transfer based on one of the other exceptions specified in the Regulations.