"Uncertainty" is the word of the day in privacy circles

Max Schrems has won. In a closely watched case, the European Court of Justice (ECJ) released a judgment this morning agreeing with his argument that the PRISM mass surveillance program unveiled by Edward Snowden makes the European Commission’s finding of U.S. adequacy for personal data transfer with the Safe Harbor mechanism “invalid.” 

Truly, the ECJ could not have been more clear: “Decision 2000/520 is invalid.” Yet many are uncertain what to do next. For, further, the court ruled that any finding of adequacy “such as” Decision 2000/520 “does not prevent a supervisory authority of a Member State … from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.”

Where does that leave other Commission-generated findings for data transfer? Few have a good answer to that question.

Schrems celebrated the decision: “I very much welcome the judgment of the court, which will hopefully be a milestone when it comes to online privacy,” he said in a provided statement. “This judgment draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible ... This decision is a major blow for U.S. global surveillance that heavily relies on private partners. The judgment makes it clear that U.S. businesses cannot simply aid US espionage efforts in violation of European fundamental rights.

“At the same time,” he continued, “this case law will be a milestone for constitutional challenges against similar surveillance conducted by EU member states.”

Irish Data Protection Commissioner Helen Dixon, who was the defendant in the case once she took over for the departing Billy Hawkes, also said she welcomed the decision:

“The issues dealt with in the judgment are complex,” she wrote. “While they will require careful consideration, what is immediately clear is that the court has reiterated the fundamental importance attaching to the right of individuals to the protection of their personal data. That is very much to be welcomed.

“In articulating the level of responsibility that the national data protection authorities in each member state will bear,” she continued, “the judgment also clarifies the mechanisms by which data privacy rights must be protected by national data protection supervisory authorities, and the relationship between those authorities and the European Commission.”

She said she would immediately begin to collaborate with her fellow DPAs in understanding how they should work together to implement this invalidation of Safe Harbor in practice.

Many DPAs, including Christopher Graham in the UK and Alexander Dix in Germany, has noted in the past that they are already under-resourced. This decision will likely greatly tax their offices.

For its part, the U.S. Department of Commerce, which oversees the Safe Harbor framework in conjunction with the Federal Trade Commission and has worked with the EC over the last two years to strengthen the framework based on EC recommendations, said in a statement it is "deeply disappointed in today's decision ... which creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy." It added it is "prepared to work with the European Commission to address uncertainty created by the court decision" so that the companies who've complied "in good faith" with the framework can continue to thrive. 

Certainly, the next step for businesses that had been operating under Safe Harbor is very far from clear. It may be tempting to simply fall back on standard contractual clauses or binding corporate rules, but, noted Gabriela Krader, corporate data protection officer at Deutsche Post DHL, “the reasoning for invalidity—massive access, no judicial protection—impacts on the validity of all means to provide guarantees for adequate protection. It is difficult to see how companies should be able to ‘withstand’ requests or activities of U.S. public authorities.”

Nicola Regan, senior partner at Privacy Partnership, was similarly concerned: “The ruling has left the U.S. and EU trade negotiations in tatters and the Commission's new attempt at a Safe Harbor v2 in doubt,” she said. “It also calls into question whether other models such as BCR or model contracts could be challenged at a future date further reducing the options for US companies.”

Indeed, this is now an “extremely complex situation for many European companies,” agreed Caroline Olstedt Carlström, chief counsel for global privacy at Swedish e-commerce firm Klarna AB. “Many of us are in effect transferring huge amounts of data based on this transfer mechanism every single day. For instance, many of the U.S. service providers base their standard offerings on a Safe Harbor solution, which means that the standard contracts offered cannot be considered compliant. Especially SMEs depending on cloud services for instance, or platforms based on such services, will be very unpleasantly affected by this.”

Further, she points out, “many of those companies may not have access to, or can afford, their own in-house counsel to advise at this point.”

Indeed, data protection lawyers ought to be busy this week. Even so, some of them expressed displeasure at the ruling and the current state of play that has led to such uncertainty. Henriette Tielemans, partner at Covington & Burling, said, “companies have a right to rely on existing legislation and while they will need to address their data transfers going forward, a solution must be provided for the millions of data transfers that took place, in good faith, on a data transfer method that has now been declared ‘invalid’.”

Some of the legislators, themselves, pronounced themselves very pleased with the decision. For instance, the Parliament’s Civil Liberties Committee Chair Claude Moraes, who has already declared Safe Harbor unfit, agreed whole-heartedly with the ECJ:

“Compared to the strong, enforceable data protection legislation that exists in the EU, Safe Harbor offers completely inadequate protection for EU citizens using services from U.S. companies,” he said. “The Snowden disclosures threw into the spotlight these inadequacies in particular as it does not provide any protection from mass surveillance activities as it contains a national security exemption which has never been clarified. However, there were also concerns prior to the Snowden revelations given that it is a non-binding agreement, which lacks compliance by companies and gives no possibility for citizens to enforce their rights.”

So, what’s next? The Schrems case is not over. It now returns to the Irish High Court and Dixon said she has “instructed the DPC legal team this morning to take whatever actions are necessary to bring the case back as soon as practicable.”

We will also now see whether similar cases are brought before data protection commissioners throughout the EU. “The average consumer will not see any restrictions in daily use,” Schrems predicted, but some U.S. cloud providers and big Internet firms “may face serious legal consequences from this ruling when data protection authorities of 28 member states review their cooperation with U.S. spy agencies.”

Klarna AB’s Carlström fears this could even feed into the fragmentation of the EU. “For instance,” she said, “in Germany, local DPAs have already stated that they consider this mechanism to be not compliant. The level of complexity for European enterprises when transferring information to the U.S. will increase even further.”

And while many may agree with Parliament’s Moraes when he says “the Commission must immediately put forward a new complete and strong framework for transfers of personal data to the U.S. which complies with requirements of EU law as enshrined in the Charter of Fundamental Rights and EU data protection rules and provide our citizens with solid, enforceable data protection rights and effective independent supervision," it’s unclear whether the changes that the U.S. government has made to its intelligence practices are enough to satisfy those standards.

“Considering the history of Safe Harbor,” said Ernst O. Wilhelm, CPO at German firm GFT Technologies, “this decision does actually not represent a surprise. However, business on both sides of the Atlantic are facing now a situation already feared and have to cope with additional risks and burden. EU and U.S. representatives have to discuss seriously ways out of the dilemma and the EU perspective on relevant matters needs now to be emphasized in these discussions.”

“As things stand,” noted John Bowman, formerly a negotiator with the UK’s DAPIX team on the GDPR and now a consultant with Promontory, “the result of this decision is further legal uncertainty and costs for business with no corresponding strengthening of protection for EU residents.”

European Commissioners didn’t do much today to assuage the many uncertainties being expressed by business leaders. In a press conference, First Vice President Frans Timmermans and Commissioner Věra Jourová both expressed the need to digest the ECJ ruling and to speak with the national DPAs.

On one hand, the ruling is validation, said Timmermans. “This is why the Commission began to negotiate a new agreement with the U.S.,” he said. “And it’s in this spirit that the Commission is continuing to negotiate … There are two goals here, the integrity and security of the data of our private citizens and to facilitate the business situation for European businesses and to ensure that there’s legal certainty for our companies to avoid confusion.”

However, when asked for clarity on whether BCRs and other mechanisms are also called into question by the ruling, Jourová could not supply much in the short term.

“We have started intensive discussions with the DPAs and with the Working Party 29 because what we have to ensure together is the unified approach of the DPAs,” she said, “so the legal certainty for the businesses is as high as possible. How can we ensure the same level of certainty? That’s the main issue. We don’t have any direct jurisdiction on American soil, and we need more time to agree on the national security points on the two recommendations [to the U.S. for continuing Safe Harbor] that concern the security issues.”

She said to look for guidance in roughly two weeks on how companies should expect to handle transfers to the United States, and elsewhere, in light of the ECJ decision.

In the meantime, companies will continue to look for answers wherever they can find them, and the DPAs’ phones will likely be ringing off the hook.