Update on Safe Harbor

Photo by Skyhigh Networks.

Editor’s Note: The Campbell Law Observer has partnered with Judge Paul C.  Ridgeway, Resident Superior Court Judge of the 10th Judicial District, to provide students from his International Business Litigation and Arbitration seminar the opportunity to have their research papers published with the CLO.   The following article is an update on a previously published CLO article from this series, U.S. Is No Longer a Safe Harbor for EU Data, written by guest contributor, Carson Ray Martin.

BY: Carson Ray Martin, Guest Contributor

After a tense three month negotiation between the European Commission and the US Department of Commerce, as well as other international privacy concerns, a tentative agreement has been reached called the EU-US Privacy Shield.  This agreement is awaiting final approval by the Article 29 working party as well as increasingly powerful EU privacy watchdog groups.  The Privacy Shield agreement was reached two days after the previous deadline set by the European Commission of January 29, 2016, and contains assurances by the United States, that national security agencies will not have unfettered access to EU citizens data transferred to United States servers.  In particular, the European Commission has emphasized how the United States had proposed greater oversight on the access American intelligence agencies have to Europeans’ data.

The United States also agreed to establish an ombudsman in the State Department to act as a first point of contact for Europeans if they believed American government agencies had misused their data.  In addition, the Judicial Redress Act will grant U.S. allies’ citizens, including the EU, with the right of civil action against the U.S. Government for privacy violations.  It is unclear how this Act will affect the ombudsman and whether the two will converge or offer two separate avenues for redress.  In addition to the agreement, the Act would provide for avenues of remedy for EU grievances.  The written assurances of compliance with EU privacy standards required by the agreement will be re-evaluated and re-issued annually.  Vera Jourova, the European Union’s justice commissioner who has led the negotiating team has stated, “We will hold the U.S. accountable on the commitments that they have made.”

Despite these assurances, European consumer groups remain skeptical and several have stated that they intend to file suits seeking to overturn this new agreement. 

Despite these assurances, European consumer groups remain skeptical and several have stated that they intend to file suits seeking to overturn this new agreement.  Others have called for the United States to bring its privacy laws up to the level of those in the E.U. “The problem is that the U.S. remains unchanged,” said Marc Rotenberg, president of the Electronic Privacy Information Center in Washington. And even the Harvard Business Review calls the new agreement “largely toothless” pointing out that the EU High Court’s rejection of Safe Harbor was based largely on the United States laws which enable potential privacy violations.  There is little indication that this new agreement signals a shift in US intelligence gathering practices or law.  Pending final resolution of these issues, businesses who deal in the exchange of data with the EU should continue to utilize the methods suggested in the original article (SCCs and BCRs) in order to allow for the smallest possibility that their transactions will be found to be extra-legal for reliance on the old Safe Harbor scheme.

There is another side to this story which has not been as widely publicized, but is gaining traction as the negotiations for a new trans-Atlantic data agreement drag on. Namely that the “finger wagging rhetoric” directed towards United States data policies is seen as hypocritical when one considers that many EU member states perform the same sort of data mining as the NSA (often in conjunction with the US intelligence giant).  This narrative paints the dissolution of Safe Harbor as an attempt to hamstring US tech companies, a theory which is perhaps reinforced by the bevy of anti-trust cases against US tech companies currently in the pipeline in EU courts.  Proponents of this view claim that the extent to which EU concerns about privacy are legitimate, are more a reflection of the opposite roles of EU governments (to protect citizen’s privacy from violation by private entities) from those of the US (which protect the citizen’s privacy from government invasion), than it is a result of malicious US intent or deficient US privacy laws.

After the invalidation of Safe Harbor in October, it was clear that whatever the scheme was developed to replace it would need to be fundamentally different.  The general consensus seems to be that the EU-US Privacy Shield is more of the same, and ultimately fails to deal with or even acknowledge many of the objections which led to the Schrems decision. Even the Judicial Redress Act is more of a first step, and does not do enough on its own to address the problematic US laws which give the government’s intelligence apparatus free reign to view and utilize EU data on US servers.

Regardless of the motivating impetus of EU policy makers, it seems clear that the EU-US Privacy Shield is purposed more to shield US companies from EU legal enforcement than to shield EU citizens from US privacy violations.  For this reason, whether or not this new data protection scheme achieves final approval by EU authorities, prolonged and bitterly contested litigation seems unavoidable.

Carson Ray Martin is a current 2L at Campbell Law School. He can be reached at cr**********@em***.edu/”>cr**********@em***.edu.