The European Commission’s safe harbor framework is invalid, and U.S. companies are no longer protected by self-certifying that they adequately protect of European data in compliance with the European Union’s (EU) Data Protection Directive (95/46/EC). Schrems v. Data Prot. Comm’r. The Court of Justice of the European Union (CJEU), the EU’s highest court, ruled that even if U.S. companies use adequate protection measures for personal data of European users, U.S. authorities are not subject to the provisions of the safe harbor framework. The safe harbor agreement, therefore, places the data privacy of Europeans at risk of U.S. government surveillance. Section leaders opine that the decision has significant ramifications and forces U.S. companies doing business in Europe to find alternative ways to legally transfer data.
Schrems Complaint Leads to Safe Harbor Invalidation
In 2013, Austrian Facebook user Maximillian Schrems filed a complaint with the Irish Data Protection Commissioner alleging that his Facebook data was not being adequately protected, in accordance with European privacy laws, when transferred to U.S. servers. The Irish data commissioner denied Schrems’s complaint, citing a 2000 European Commission decision that established the Safe Harbor agreement between the United States and the EU. On review of the commissioner’s rejection of Schrems’s complaint, the Irish High Court referred to the CJEU the inquiry of whether national privacy protection authorities are required to follow the European Commission’s Safe Harbor agreement.
On October 6, 2015, the CJEU ruled that each country’s privacy authority may determine whether data transfer complies with local laws and raise issues with its respective country’s national court if it believes data is not being protected. The EU’s highest court also found that safe harbor, the 15-year-old transatlantic data transfer framework, was invalid because it placed U.S. national security needs and law enforcement requirements above data privacy of European citizens. The CJEU remanded Schrems’s case back to the Irish High Court.
Developments since the End of Safe Harbor
Since the CJEU’s landmark decision, the European Commission and the U.S. government have been diligently working to establish a new data privacy transfer agreement. On October 15, 2015, the Article 29 Working Party, an advisory group to the European Commission consisting of data privacy officials from the EU member states, met to offer guidance and provide a statement to the more than 4,000 companies affected by the invalidation of Safe Harbor. On October 20, 2015, Ireland’s High Court heard Schrems’s case on remand and ordered an investigation by the Irish privacy authority into Facebook’s transfer of user data to examine whether personal data was protected from U.S. government surveillance. Also on October 20, 2015, the U.S. House of Representatives passed the Judicial Redress Act (H.R. 1428), which allows foreign citizens to bring civil actions against the U.S. government if the U.S. government violates their individual privacy.
On November 6, 2015, the European Commission published guidance discussing alternative methods for transfer of data to the United States, such as using standard contractual clauses and binding corporate rules, until a new data transfer pact is established. The Article 29 working party has given the European Commission and U.S. authorities until the end of January 2016 to find a solution to replace the Safe Harbor framework or enforcement actions against U.S. companies for failure to comply with the EU’s privacy laws may begin.
Swift Action Is Necessary to Comply with EU Privacy Laws
Section leaders agree on the far-reaching effect of the CJEU’s invalidation of safe harbor for those U.S. companies that relied on the transatlantic pact for data transfer. “The more than 4,000 companies that did rely primarily on the Safe Harbor in order to comply with the EU Data Protection Directive for transfers of EU citizens’ personal data to the U.S. must quickly assess whether to employ one of the nine approved alternative measures to avoid potential investigations and fines by EU member states’ data protection authorities in 2016,” instructs Tyler G. Newby, San Francisco, CA, cochair of the ABA Section of Litigation’s Privacy & Data Security Committee.
“Those may include enacting and obtaining country-level approval of binding corporate rules for intra-company transfers, employing model contractual clauses for the treatment of transferred data, or consent mechanisms. Or those companies may choose to put their faith in the ability of the U.S Chamber of Commerce and EU Commissioner for Justice to finalize ‘Safe Harbor 2.0’ to address longstanding concerns by EU Data Protection Authorities about the level of protection afforded to EU citizens’ data once transferred to the U.S,” states Newby.
“Companies involved in EU-US data transfers carefully consider the risks associated with such data transfers and, following the advice of the Article 29 Working Party, ‘should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks,’” suggests Stephen E. Reynolds, Indianapolis, IN, cochair of the Website Subcommittee of the Section of Litigation’s Products Liability Committee. “Moreover, even companies that did not previously rely on safe harbor should take steps to monitor these continuing developments and ensure these solutions are put in place prior to the end of the January 2016,” instructs Reynolds.
“Companies may choose to avoid transferring data to the United States altogether by maintaining EU member state citizens’ data within the EU. There is no ‘one size fits all’ answer; the mechanism a company chooses will depend on its business needs and its risk tolerance. Whatever mechanism U.S. companies choose, they have a small window within which to act,” warns Newby.
Onika K. Williams, Litigation News Contributing Editor – March 24, 2016
Keywords: safe harbor, privacy, data, surveillance
- Schrems v. Data Prot. Comm’r, E.C.J., No. C-362/14 (Oct. 6, 2015).
- Schrems v. Data Prot. Comm’r, Advocate General’s Opinion in Case C-362/14 (Sept. 23, 2015).
- Safe Harbor, European Commission Directive 95/46/EC.
- European Union’s (EU) Data Protection Directive (95/46/EC).
Copyright © 2017, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).