Safe Harbour is dead - prepare for enhanced supervision

October 06, 2015

0 comments

Today's landmark decision of the Court of Justice of the EU has delivered what was unthinkable only twelve months ago - the end of the Safe Harbour regime. 

Mr Schrems, the litigant behind this case, has delivered a crashing blow on the data protection establishment here in the EU and in the United States.  He has exposed what now seems to be fundamental vulnerability at the heart of the EU data protection regime, namely the matter of commercial and political compromise.  The Safe Harbour Decision was adopted to maintain the free flows of personal data across the Atlantic, which are critical for economic and social prosperity.  However, we now know that European law does not permit of these essential compromises.  The Convention on Human Rights, the Charter of Fundamental Rights and Freedoms and, of course, data protection law itself are much more "rigid" than the Safe Harbour Decision implied: privacy law has to be rigidly applied.  It cannot be bent out of shape for commercial and political purposes.

Rigidity means strictness.  This is the most significant impact of the CJEU judgment.  Every national supervisory authority in Europe now knows that they will have to apply intense scrutiny to challenges that come their way.  Complaints will have to be properly investigated on their facts.  If they are not, the citizen and the courts will become the regulators.  The natural extension of this new reality is tougher regulation. 

When the GDPR is adopted, it will empower the regulators with an unprecedented fining ability and the powers to intervene in business.  It will also provide "Civil Society Organisations" (sometimes called "pressure groups" or "privacy advocates") and citizens with the legal right to take on business in litigation.  The regulators will also be susceptible to more frequent legal challenge by the citizen, if they do not do their jobs properly.  It heads in only one direction: tougher regulation.

All of the GDPR's compliance obligations will then be the benchmarks against which business will be judged.  The pressures will be more than international transfers.  In this new environment the only Safe Harbour for business will be robust compliance mechanisms, mature assurance and sophisticated systems for fault detection and complaints handling.  Weaknesses in these areas will be quickly identified during periods of intense scrutiny.