Safe Harbor Accord Invalid - What can South Africa learn?

Posted October 8, 2015
Written by Mark Heyink
On the 6th October 2015 the European Court of Justice (“ECJ”) ruled that the Safe Harbor Accord between the European Union and the United States was invalid. ~~The Safe Harbor Accord was designed to fill the vacuum created by the EU Privacy Directive in 1995, that directed EU countries to adopt in their domestic law the principle that personal information could not be transferred to countries having inadequate “data protection” laws. As the USA fell into this category and due to the very significant trans-Atlantic flow of data, an accord was brokered. This allowed data transfers in terms of strict conditions that were required to be fulfilled by USA processors of EU citizens’ data.

The revelations of Edward Snowden confirmed, among other things, that USA owned companies and large processors of personal information had cooperated with the National Security Agency in the collection of personal information relating to the EU citizens, contrary to the safe harbor accord. This was objected to by an Austrian law student, Max Schrems. The case eventually found its way to the ECJ, which ruled that the Safe Harbor mechanism failed to establish the safeguards required by data protection authorities in the EU and declared it to be invalid.

While it is uncertain at this time exactly how this dramatic development in the jurisprudence of privacy will play out, what is certain is that this is a massive blow for USA-based tech companies which process vast amounts of data belonging to EU citizens. The decision is likely to force EU companies relying on USA “hosts” to find alternative mechanisms to process this information in more privacy-friendly environments. While it is impossible to accurately predict the affect that this will have on data processing globally or the significant economic consequences, the decision has considerable ramifications for both the USA and the EU. This will have a ripple affect across the globe.

What does this have to do with South Africa? Currently South African law is inadequate, not so much in the content of the Protection of Personal Information Act, but the dilatory approach of government to rendering it effective. We had the opportunity to “leapfrog” into a position of establishing credible and adequate privacy law, but the glacial pace at which government has chosen to deal with finalising the Act and its implementation has robbed South Africans of a fundamental constitutional protection and has been a dis-incentive to desperately needed investment in South Africa. We have now again fallen a long way behind the rapid developments in privacy law, necessary to address abuses arising from the development of technologies and applications. Had government acted with any sense of urgency in addressing this 21st Century problem we would by now have had a regulator in place to address these crucial issues. As I have stated in the past, its failure to do so makes it an accomplice to every breach of information privacy and much of the cybercrime committed against South African citizens.

Further, the significant imbalance between privacy and the powers given to law enforcement and national security agencies in terms of the proposed Cybercrime and Cybersecurity Bill, which is currently awaiting public comment, places South Africa in no different position from the USA.  It was the lack of demonstrable control over the NSA, the NSA overreaching its mandate and the imbalance between the right of privacy and legitimate cybersecurity that has resulted in the decision of the ECJ. Indeed, despite the warnings that have been provided to the drafters of the Cybercrime and Cybersecurity Bill in this regard, it appears that government is intent to go ahead without redressing a similar imbalance in the Bill and despite the clear warnings that exist against this course of action, it seems intent on making the same mistake as the USA in underestimating the importance of proper privacy legislation. I stress that I am totally in favour of legislation governing cybercrime and cybersecurity and have been crying out against the lamentable omissions by government in this regard for many years. However, without the balance between privacy and security that is a feature of all credible cybersecurity frameworks, the very core of the civil liberties that our open democracy seeks to protect, are threatened.

If the ruling party is as serious about human rights as it professed to be in addressing the Al Bashir debacle, it should evidence its political will by moving swiftly to establish proper frameworks to address the novel threats of our 21st Century information society, in respect of which privacy and cybersecurity are central. Lip-service and empty promises are simply not enough if South Africa is to unlock the enormous advantages that modern information and communications technologies hold, or protect against the serious abuse that the same technologies threaten.

©Mark Heyink 2015
www.privacyonline.co.za

Subscribe
Unsubscribe  
news