International Data Transfer – a Legal Gray Area
Both the EU and the US regularly find themselves grappling with the issue of data protection. The European Court of Justice (ECJ) recently declared the Safe Harbor data protection agreement invalid, as US companies did not sufficiently protect data transferred from Europe. Fundamentally, the legal situation around data and data traffic is unclear, and there are very few internationally valid regulations on the matter. In the run-up to the conference Regulating International Transfer of Data, international law specialist Krista Nadakavukaren explains why the regulation of international data transfer is still largely unresolved.
21 March 2016
Ms. Nadakavukaren, why does the legal system struggle so much with the regulation of data transfer?
The source of the problem is that, legally speaking, data itself is not clearly defined. We simply don’t know what data actually is. Our legal system works with categories to which existing rules are applied. Until now, data has not been clearly assigned to any of these legal categories. Is it a commodity, or is it more of a service? Is it property, or could it even be a resource? Without a clear classification to one of these tangible terms, the legal system will struggle to effectively regulate data traffic. In addition, our digital world is evolving so rapidly that the legal system is constantly lagging behind.
Are there any potential solutions?
Personally, I’m not sure that our current legal thinking is actually suited to finding a solution here. One idea would be to regulate each individual area of data transfer separately. But that would mean that data transfer is treated in completely different ways, depending on the use of the data. To me, this does not seem particularly sensible or practical. Perhaps we need a completely new category, in which data is simply defined as such, and around which we can build a new set of rules. All these considerations make this field so challenging and interesting for me – one has to think creatively and explore fundamentally new approaches. The topic is still very much in its infancy, and our conference aims to deliver some initial ideas and inspiration.
The theme of the conference has become highly topical in the light of the ECJ judgment. What exactly was the Safe Harbor agreement all about?
The Safe Harbor agreement between the EU and the US came into force in 2000. Essentially, the issue was that the US, in Europe’s view, did not offer a high enough level of data protection, so specific agreements had to be reached for the transfer of personal data to a US company. This is a very cumbersome process, which mainly disadvantages small and medium-sized businesses. In order to facilitate data traffic, Safe Harbor developed a set of rules enabling US companies to register on a list by means of self-certification, and thus commit to sufficient protection of the data transmitted from Europe. However, compliance with this obligation was not externally monitored, nor did it offer any protection against NSA data collection. Incidentally, a similar agreement exists between Switzerland and the US. In the light of recent developments, this will also have to be reconsidered.
Why did the ECJ declare the agreement invalid in October 2015?
The Austrian lawyer and data protection activist Maximilian Schrems issued a complaint to the ECJ specifically relating to data protection on Facebook. Facebook allows data from its European users to be processed in the US, which is why they also signed up to the Safe Harbor list. Based on Edward Snowden’s revelations, Schrems argued that the Safe Harbor agreement did not sufficiently guarantee the protection of data by companies such as Facebook. The court supported this opinion, and went on to explain that the current process for transfer of data between the EU and the US was unlawful and that the agreement was invalid. So the timing of our conference could not be better. However, I had already started the planning before the ECJ decision – a happy coincidence, one might say.
What can participants at the ‘Regulating International Transfer of Data’ conference expect?
Safe Harbor is about personal data, and therefore also about the protection of personal privacy. It’s an important subject that the conference will tackle accordingly. But the event will also address international transfer of data as it occurs in the financial world, in intelligence agencies, and in international trade. We have invited experts from various fields of law, as well as representatives of companies and governments. Their contributions will all help shed light on the subject from different perspectives. One of the highlights of the day, without a doubt, will be Monty Raphael’s contribution. He is one of London’s foremost criminal lawyers and he will close the conference with a keynote speech on cyber security.
«Regulating International Transfers of Data»
The conference Regulating International Transfer of Data takes place on 7 April 2016 at the Faculty of Law’s Pro Iure Auditorium. The event begins at 8:30 am and continues until about 7:00 pm. The participation fee to cover costs is CHF 90.00. Requests to register should be sent by email to office-nadakavukaren-ius@unibas.ch by 25 March 2016.