U.S. Is No Longer a Safe Harbor for EU Data
Safe Harbor, the agreement that allowed free exchange of data with EU countries, has been declared invalid by the European Union Court of Justice.
Editor’s Note: The Campbell Law Observer has partnered with Judge Paul C. Ridgeway, Resident Superior Court Judge of the 10th Judicial District, to provide students from his International Business Litigation and Arbitration seminar the opportunity to have their research papers published with the CLO. The following article is one of many guest contributions from Campbell Law students to be published in the Spring 2016 semester.
BY: Carson Ray Martin, Guest Contributor
The EU/U.S. data market is big, really big. Since the year 2000, huge U.S. data firms, such as Facebook, Google, Microsoft, Twitter, and Amazon, have developed major markets in Europe. According to the Brookings Institute, in 2012, U.S. exports of digitally deliverable services globally were worth $384 billion (over $140 billion went to the EU). This market represents a significant segment of market share for many U.S. data firms. And that market share has, until recently, been entirely dependent on one agreement with the EU called “Safe Harbor” (European Commission Decision 2000/540), a policy on data privacy which few non-insiders have even heard of.
Now, as the result of Maximilian Schrems v Data Protection Commissioner on October 6, 2015, Safe Harbor has been declared invalid by the EU High Court (the European Union Court of Justice “CJEU”). Any data transfer from EU to U.S. servers that, up until the decision, was assumed to be in compliance with EU privacy standards, is now unlawful under EU law. In effect this decision has removed the protection of EU law for trans-Atlantic data transfers to U.S. servers.
Over its fifteen year history, serious doubts as to the effectiveness of Safe Harbor had been repeatedly expressed by interested parties, including allegations of failures to enforce the program by the United States. The scheme was already being renegotiated by the European Union and the United States as early as January of 2012. In fact, the Schrems decision was in many ways the culmination of more than a decade of growing fears among European privacy advocates, beginning with the passing of the Patriot Act in 2001, and leading up to the revelations leaked by Edward Snowden regarding the NSA’s data mining activities in 2013. The immediate effect of the European Court of Justice (“CJEU”) decision to invalidate Safe Harbor was to send “shock waves through the United States and Europe,” according to Henry Farrell of the Washington Post. In order to understand why this decision goes to the heart of the EU’s differences with the U.S. on issues of personal privacy, and what it means for U.S. companies, some history regarding Europe’s privacy laws and policies is essential.
What Does Data Privacy mean in the European Union?
Privacy law is a highly developed area of jurisprudence in Europe, and the manner in which it is understood by European courts can be traced back to the European Convention on Human Rights (“ECHR”) which took effect in 1953. All members of the European Union (“EU”) are signatories to the ECHR which, among many other things, establishes an inalienable right to respect for one’s “private and family life, his home and correspondence.”
The ECHR concept of privacy was eventually applied to personal data when in 1980, under the authority of the EU, the Organization for Economic Cooperation and Development (“OECD”) drafted a list of seven guidelines for governing data protection. They were: 1) notice data subjects should be given notice when their data is being collected; 2) purpose—data should only be used for the purpose stated and not for any other purposes; 3) consent—data should not be disclosed without the data subject’s consent; 4) security—collected data should be kept secure from any potential abuses; 5) disclosure—data subjects should be informed as to who is collecting their data; 6) access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and 7) accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles. These principles were put forth in an effort to provide a comprehensive data protection directive for EU member-states.
The principles were non-binding at the time of their introduction, however, all seven would eventually be codified in the Data Protection Directive (Directive 95/46/EC; “DPD”) in 1995. The DPD defined terms like “personal data” and “processing” along with laying out standards of transparency, and legitimate purpose in data acquisitions as they applied to international data companies and sovereign nations. It also set forth requirements for the formation in each member-state of a supervisory authority, as well as standards for transfer of data to “third countries” (the name for non-member-states given in EU policy documents). All member-states were required to pass their own version of the DPD into law by end of 1998, at which time all EU member states had done so.
One other element of the directive, Article 29, would provide the vehicle for the so-called “Safe-Harbor” decision in 2000. Article 29 created the “Working party on the Protection of Individuals with regard to the Processing of Personal Data”, commonly known as the “Article 29 Working Party”. The Working Party (“WP”) gave advice about the level of protection in the European Union and as between Europe and third countries. It was the WP, made up of regulatory authorities from EU member-states, who negotiated with U.S. representatives about the protection of personal data; Safe Harbor was the result.
What is the Safe Harbor Decision, and why is it so important?
In the mid 1990’s the precursor to the Safe Harbor decision, the Safe Harbor Principles, were established as a method for U.S. companies to self-certify that they were adhering to the seven principles laid out in the DPD, so that they could freely exchange data with EU countries and Switzerland. This allowed free data flow on the understanding that by self-certifying, those companies were agreeing to comply with the European standards for data privacy set forth in the DPD. The EU and U.S. agreed to this compromise after the U.S. resisted EU pressure to introduce new laws that would have protected the privacy of EU citizen’s data. The Data Protection Commission (“DPC”) eventually cemented this understanding in 2000, after talks between the U.S. Dept. of Commerce (“USDOC”) and the commission led to the finding that the USDOC’s privacy framework substantially complied with EU privacy standards. This finding is what came to be known as the Safe Harbor decision. If U.S. companies had broken their commitments under the decision, they faced exposure to sanctions from the Federal Trade Commission or EU authorities.
The DPC came to the Safe Harbor decision less than a year before the attacks of Sept. 11, 2001. After that tragic day, the Patriot Act passed through the U.S. legislature in short order, giving the U.S. intelligence gathering apparatus broad powers to suspend privacy standards in order to fight terrorism. The ramifications of that Act are too numerous to discuss here, however it is important to note that the powers granted in the Patriot Act deeply alarmed many privacy advocates worldwide, and undoubtedly gave rise to the NSA’s data mining program (PRISM) later revealed by Edward Snowden. For many of those privacy advocates like Maximilian Schrems, the Snowden revelations confirmed their worst fears regarding the deficiencies of data protection in the U.S. Despite these widespread reservations however, the Safe Harbor decision remained in place until October of 2015 when it was invalidated by the CJEU in Schrems.
What did the EUCJ Decide and Why?
Maximilian Schrems, a privacy activist, Danish citizen, lawyer, and Facebook user since 2008, brought his case alleging mishandling of personal data by Facebook under the standards set forth in the DPD. His complaint cited the revelations of Edward Snowden regarding the mass data mining operations of the NSA’s PRISM program as proof that the U.S. could not be meeting DPD standards. The case was initially brought before the Irish supervisory authority (Data Protection Commissioner) because Irish Facebook servers were responsible for transferring all euro Facebook data to US servers from Ireland, and therefore Ireland was the location of the injury for purposes of jurisdiction.
That body rejected the complaint, stating that the DPC had already ruled on the adequacy of U.S. data protections under the Safe Harbor decision in 2000, finding them to be essentially equivalent to EU standards. Schrems then appealed to the High Court of Ireland, who in turn sent an inquiry to the CJEU requesting clarification regarding their authority to rule on the validity of the DPC’s Safe Harbor decision, and to cut off the transfer of data if it found Facebook to be in violation of DPD standards.
The CJEU found that a national court/supervisory-authority inquiry into the sufficiency of a third nation’s adherence to the Data Protection Directive instituted by the DPC, was permissible. The court stated that the DPC had no authority to reduce or alter the right of sovereign nations under the Charter of Fundamental Rights of European Nations. In other words, a finding by the DPC did not preclude a national court from evaluating whether a third nation (in this case the United States) was meeting the requirements of the Data Protection Directive, and then bringing their concerns before the CJEU if they concurred that there had been a violation. The court however stressed that the final determination of the validity of the Safe Harbor decision rested solely with the CJEU, as sole arbiters of any EU executive decisions.
Having deciding the preliminary question of authority, the court then turned to the substantive issue of the case. The DPC had been charged with evaluating the whole of the U.S. domestic and international policy regarding the transfer and treatment of data in order to make their decision regarding adequacy of protection for EU citizen’s personal files. The court found that the DPC did not evaluate the sufficiency of the protections put in place by those companies (from independent agencies or the U.S. government) in comparison to those required in Europe as was required of them, but rather simply examined the Safe Harbor scheme itself. Even though the DPC did find that the protections of American companies for EU data were bound to give way to policy interests and national security, they nevertheless found Safe Harbor to be satisfactory and allowed the US companies to transfer data under their authority.
The CJEU found that the Safe Harbor Decision was therefore invalid, not because of an evaluation of the scheme itself, but rather because of U.S. Law which made consideration of the scheme moot. They reduced their reasoning to three core failures which precluded the efficacy of Safe Harbor. First, that the U.S. had legislation in place permitting the government to have access on a generalized basis to the content of electronic communications. This fact, the court said in their press release of October 6, 2015, “must be regarded as compromising the essence of the fundamental right of European citizens to respect for their private lives.”
Second, the court observed that the U.S. also had laws on the books which failed to provide for any possibility citizens to pursue legal avenues to obtain access to personal data relating to themselves, or to obtain the correction or deletion of that data. According to the CJEU’s decision, this legal deficiency “compromises the fundamental right to effective judicial protection.”
Finally, the Court found that the DPC’s Safe Harbor decision denied the national supervisory authorities the power to re-evaluate whether the decision is compatible with the protection of the DPD. The CJEU stated that “the Commission did not have competence to restrict the national supervisory authorities’ powers in that way.”
The CJEU’s judgment included instructions that the Irish supervisory authority of the DPC should examine Mr. Schrems’ complaint “to decide whether transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.” In short, the Irish courts now have the authority to shut down Irish Facebook’s transfers of EU user data to U.S. servers.
What Results Have Already Been Seen?
The consequences of this milestone ruling by the CJEU are being felt worldwide and both private and government authorities are scrambling to decide their next moves. As mentioned above, in January of 2012, in response to dissatisfaction with the Safe Harbor scheme, the Article 29 WP rolled out a draft of an updated version of the DPD called the General Data Protection Regulation (“GDPR”), (to be implemented by 2017 with a deadline of 2019) which deals with the effects of globalization and new technology like the cloud. The negotiation of this new plan has been halted as a result of Schrems because the WP no longer has the ability to make the concessions they might have otherwise made. The WP’s hands are in effect tied by the CJEU’s decision, and until the concerns addressed by the CJEU have been addressed by the U.S. Government, it is likely that any progress towards an updated data policy will remain stalled.
Immediately after the decision in Schrems was announced, the European Commission held an emergency meeting in order to discuss reactions and new policy. Afterward they issued a statement which confirmed that Schrems took effect immediately, and that any transfers under Safe Harbor were now unlawful. They did however allow that it would wait until the end of January 2016 before enforcing the holding from Schrems. They also stated that companies might protect themselves during the “transitional period” by utilizing Model Contracts (“MC”) and the Binding Corporate Rules (“BCR”).
To clarify, according to financial news site Mondaq.com, an MC, “imposes obligations on both the exporter and the importer of the personal data to ensure that the transfer arrangements protect the rights and freedoms of the data subjects.” BCRs “act as a guarantee against personal data transfers and must be approved by the data protection authorities in each jurisdiction in which the company operates.” Even if companies do employ MCs or BCRs, the European Commission made it clear that EU citizens now have the right to bring mismanagement of data claims before their respective supervisory authorities for review. These supervisory authorities are also to undertake campaigns to inform companies in their regions of the consequences of Schrems.
In addition to the EC response, several individual nations, including non-EU-member-states, who are affected by Schrems, have taken their own steps. These nations’ reactions are too numerous to mention in minute detail, however, all of the official reactions from EU member-states have in essence been in supports of Schrems, and then have gone on to mention specific ways that the decision will affect their citizenry and business within their borders.
Israel’s reaction might be indicative of broader change after Schrems:
The CJEU’s decision to invalidate Safe Harbor is not only an EU or even a transatlantic problem and the reaction from Israel is potentially indicative of the position of the global community outside of the EU. In late October 2015, according to IT law website francoisegilbert.com, Israel’s data protection authority (the Israeli Law Information and Technology Authority, or, ILIT) stated that transfers of data to the U.S. by Israel based companies under Safe Harbor were now unlawful. The immediate consequences of this action were summed up neatly by the ILIT in a statement released after the decision, “Israeli companies that relied [on Safe Harbor] can no longer do so to justify the legality of their transfer of data to the United States.”
The fact that Israel is not an EU member-state, and furthermore is a particularly close intelligence gathering ally of the U.S., speaks volumes. Israel’s position makes it abundantly clear that the broader international community recognizes the essential nature of privacy protections in the digital age and that the EU’s higher standards for personal data protection are what the global community now aspires to. Many more countries may follow Israel’s lead, and the possibility that the European Commission will reconsider whether countries it previously considered as providing “adequate” protection to personal data, actually still do should not be ruled out. The principle significance of Israel taking this stance is that the U.S. may now find little alternative to legislative reform in the area of digital privacy now that the global bar has apparently been raised.
U.S. Reactions from the Private Sector:
Many prominent members of the U.S. tech community have issued statements emphasizing the vital necessity of an agreement like Safe Harbor being in place. Their sentiments are exemplified by this statement by Information Technology Industry Council President Dean Garfield which he made in an interview with ITI.org leading up to the decision: “The Safe Harbor has been indispensable in facilitating the cross-border flows of data that are as critical to transatlantic and global business as maritime shipping lanes and currency exchanges.” Without the legal umbrella afforded by Safe Harbor, “more than 4,000 companies in industries including technology, financial services, and hospitality will be left scrambling to meet alternative regulations in order to transfer data across the Atlantic.”
These feelings were echoed by the U.S. Chamber of Commerce who voiced the particular concern of many corporations, with the lack of direction from the CJEU regarding what companies should do until a new Safe Harbor equivalent is passed. Their statement read in part: “It is particularly alarming [Safe Harbor] has been invalidated with no discussion of a transition period or guidance regarding how companies should comply with the law while a new agreement is negotiated or as they transition to new mechanisms.”
These concerns have been partially addressed by the statement issued by the European Commission. But growing worries from U.S. tech companies are driving policy makers in Washington to move quickly, as none of the options in the EC’s press release provide the complete protection for companies that Safe Harbor had.
U.S. Government Reactions:
The institution of a new U.S./EU (or possibly even global) data protection scheme depends on the U.S. deciding whether the benefit of programs like PRISM are worth the loss of global market share American companies will suffer without legislative reform. Concerns expressed by the CJEU about the U.S. government’s ability to view European data at-will under the auspice of “intelligence gathering” were echoed by many in the EU’s technology sector. Jens-Henrik Jeppesen, the director of European Affairs for the Center for Democracy and Technology, told the internet publication TheIntercept.com that “Surveillance is the heart of this matter,” and that “The highest court in the European Union is not satisfied with the guarantees such as they are under current U.S. laws.”
During the Schrems trial, the U.S. delegation to the negotiations on the GDPR issued a statement to the CJEU insisting that the U.S. does not and has not engaged in indiscriminate data gathering. However, in the wake of the Snowden leak, and obvious legislative conflicts with DPD standards, the CJEU found this statement to be unconvincing. Since the Schrems decision was announced however, the tone of the U.S. government has shifted significantly and, while they have issued no statements of apology or retractions of previous claims, there has already been movement towards new legislative protections for EU data.
The reactions from Washington have been remarkably unified, with many expressing concern for the consequences of the decision, or even implying it was rash, but all acknowledging a need for immediate action to fill the void left by Safe Harbor. Statements made by Senator Ron Wyden, are prime examples of this dichotomy, calling the ruling “disastrous” for U.S. companies and stating that “by striking down the Safe Harbor Agreement, the European Union Court of Justice today called for open season against American businesses.” But Senator Wyden also went on to suggest possible reforms, and called on Congress to “start taking the next steps on surveillance reform now.” U.S. Commerce Secretary Penny Pritzker made a statement in a press conference after the decision was announced that “the court’s decision necessitates release of the updated Safe Harbor Framework as soon as possible.”
The larger question regarding U.S. Intelligence gathering policies has not yet been addressed (at least not publicly), therefore the current challenge for the U.S. government is taking legislative action to repair the damaged trust of the EU.
The Judicial Redress Act
The first concrete legislative step towards the reform of U.S. data policy has taken in the form of the Judicial Redress Act. According to business law news site Cooley.com, on October 20, 2015, the US House of Representatives agreed to move forward the Judicial Redress Bill (H.R. 1428).
This bill, which would seek to allow some foreigners the right to pursue their privacy rights in US courts (one of the European Court’s objections in the case), was passed through the house within three weeks of the Schrems decision. “The sudden termination of the Safe Harbor framework strikes a blow to US businesses by complicating commercial data flows. If we fail to pass the Judicial Redress Act, we risk similar disruption to the sharing of law enforcement information,” said US Representative Jim Sensenbrenner, one of the bill’s sponsors, in an article he authored for Congressional blog thehill.com.
Anyone familiar with the slow pace of Washington policy-makers might perceive that this three-week turn around, from drafting to passing the House, is demonstrative of how seriously Congress is taking the invalidation of Safe Harbor. This sense of unified urgency was reemphasized by Representative Sensenbrenner’s further assertion that the Judicial Redress Act bill has been endorsed by the Department of Justice, federal law enforcement, and U.S. businesses, including “the Chamber of Commerce and nearly all of our largest technology and information companies.” The bill must still make it through the Senate and obtain the White House’s approval before it becomes law. However even if this measure fails, it is clear that movement by the U.S. government is required to mend the free-flow data relationship with the EU after Schrems.
Potential Future Developments
Many say Schrems is a positive step forward in requiring greater security, encryption, and disclosure about data use to consumers of brands like Google and Facebook. After the announcement of the decision, the First Vice-Chair of the EC, Franz Timmerman proclaimed “Today’s judgment is an important step towards upholding Europeans’ fundamental rights to data protection.” Others say that the invalidation of the safe harbor decision only throws sand in the gears of commerce and that the new requirements could put a major strain on tech companies.
It is unclear as of yet, what the full political/legal ramifications of the decision will be, but what is immediately apparent is this: the CJEU’s decision in Schrems has foundational consequences regarding any new deal, such as the GDPR, on the subject of data protection. It not only invalidates Safe Harbor, but also makes it clear that any new arrangement has to be fundamentally different from the old one. Finally, whatever form it takes, the new scheme has to protect European citizens better against U.S. firms, and against the U.S. government.
Carson Ray Martin is a current 2L at Campbell Law School. He can be reached at crmartin0104