Since the European Court of Justice (ECJ) announced its Schrems decision on October 6, there has been understandable consternation about what comes next—is there any legal and practical way forward on EU/U.S. data flows?

Fortunately, we have faced a similar situation once before, and solved it. That earlier experience, in the late 1990s, suggests a promising path this time as well. Notably, this path reaffirms the lawfulness of Binding Corporate Rules (BCRs) and model contract clauses, thus providing ongoing, lawful means of transferring personal data to the U.S.

How Safe Harbor Solved the Unsolvable

The signing of the Safe Harbor in 2000 came only after many observers feared there was no legal solution to the differences in EU and U.S. privacy laws. The Data Protection Directive was finalized in 1995, and went into effect in late 1998. One fundamental challenge was that most EU experts believed the U.S. lacked “adequate” privacy protections.

The EU position at the time was similar in three respects to the position today, a mix of:

1) Fundamental rights. The 1995 Directive was enacted to enable flows of personal data within the EU and to protect fundamental rights in privacy.  

2) Legal compliance. Any solution with the U.S. had to meet the legal requirements set forth in the Directive, notably the “adequacy” requirement.

3) Bargaining position. Senior EU officials hoped that the strict provisions of the Directive would put pressure on the U.S. to bring its privacy laws closer to the EU approach.

In the lead-up to Safe Harbor, the right of access was particularly at issue.

In the lead-up to Safe Harbor, the right of access was particularly at issue. Under some U.S. law, such as the Fair Credit Reporting Act, individuals have the right to access records, such as their credit history. More generally, however, there is not an over-arching principle in U.S. law that individuals always have access to the data processed about them. During early negotiations, there was no proposal on the table that could bridge the gulf between the EU and U.S. approaches.

In 1997, Barbara Wellbery, the U.S. official principally leading on the issue, asked me to head a three-person delegation to study the right of access on the ground in seven EU countries. (Brian Hengesbaugh was the Department of Commerce representative for this.)

The facts we discovered added useful context for the EU/U.S. negotiations. We discovered literally dozens of exceptions to the access principle in practice, ranging from no access to the confidential commercial information in a company’s computer systems to no access for students to the test questions from last year’s exams. These factual findings made it possible in the Safe Harbor to affirm the EU fundamental right: “Individuals must have access to information about them that an organization holds.” They also formed the basis for the important exceptions to the access right that actually were followed in Europe, such as where the expense of providing access is disproportionate to the risks to the individual’s privacy, or for confidential commercial information.

This experience with the access right suggests important lessons for today’s challenges.

The U.S. must take European law and practice seriously. It will do little good to fulminate about why the ECJ is wrong—the Schrems decision is now the law. At the same time, the EU should not be able to insist on U.S. practices that are stricter than what the EU expects of its own organizations.           

The Right to Redress Exists for BCRs and Contracts

In seeking a path forward, my suggestion is that we focus on the role of the independent Data Protection Authorities (DPAs), whose authority was stressed repeatedly by the ECJ. The opinion stated a theme that has long been voiced by EU data protection experts: The individual EU citizen must have recourse to an independent authority to hear the citizen’s data protection concerns. This right to recourse to an independent authority, in the Court’s view, is essential to the protection of the fundamental right to privacy. European DPAs therefore, says the Court, must have the ability to make an independent investigation of the adequacy of transfers out of the EU.

The U.S. must take European law and practice seriously ... At the same time, the EU should not be able to insist on U.S. practices that are stricter than what the EU expects of its own organizations. 

This bedrock finding of the ECJ distinguishes the Safe Harbor from BCRs and model contracts.The ECJ struck down the Safe Harbor because there was not sufficient investigatory authority and enforcement under the control of an independent DPA. By contrast, a company’s BCRs are approved by an EU DPA. Similarly, transfers by means of contracts are under the authority of an EU DPA.

The individual’s right to redress is intact under both BCRs and contracts. The right to redress by an independent authority should be familiar to any U.S. lawyer. The U.S. Supreme Court said many years ago that “a right without a remedy is no right at all.” American lawyers are also familiar with the insistence on independence for the protection of rights—a 4th Amendment warrant for a search or seizure requires a “neutral magistrate.”

Where reasonable people might differ is on who constitutes a sufficient form of independent authority. The Safe Harbor put enforcement authority in the Federal Trade Commission (FTC), the agency whose independence was affirmed by the U.S. Supreme Court in 1935 in the Humphrey’s Executor case. In my view, the ECJ did not challenge the FTC’s independence. Instead, the ECJ critiqued the scope of the FTC’s jurisdiction, which applies to defined commercial activities but not national security.

The scope of FTC jurisdiction has become more relevant due to changes in EU law between the 2000 Safe Harbor and today. The Safe Harbor focused on transfers by commercial companies for commercial purposes, which fit the original EU legal approach of a Common Market for commercial activity. Since 2000, the legal scope of the European Union has expanded, notably through the Lisbon Treaty, which entered into effect in 2009. This treaty gave the EU a greater role in non-commercial areas such as the “area of freedom, security and justice.” It also, as exemplified by the Schrems decision, made the EU’s Charter on Fundamental Rights legally binding.

With Safe Harbor, the EU and U.S. solved what had seemed the unsolvable: The two sides created a legal structure that lasted 15 years, which is not bad for a diplomatic solution in a complex world.

This history allows a more sympathetic perspective on the original lawfulness for Safe Harbor. Within the logic of EU law, the defined scope of FTC jurisdiction became more important over time, as EU law applied in a more binding way to non-commercial activities. The surveillance activities of the U.S. government were not, in my view, within the scope of the original Safe Harbor. Under the Lisbon Treaty, we can see why they could be found relevant today.

In my view, the history also permits a positive view of what Safe Harbor accomplished, despite the recent ruling of its current illegality.

With Safe Harbor, the EU and U.S. solved what had seemed the unsolvable: The two sides created a legal structure that lasted 15 years, which is not bad for a diplomatic solution in a complex world.

Those fifteen years gave both regions time to build up an infrastructure of compliance with data privacy laws. Today, we have thousands of certified company privacy professionals, teamed with experienced counsel. By contrast, the year 2000 saw introduction of the title “Chief Privacy Officer” for any major U.S. corporation. For many global corporations, there are solutions today such as BCRs that simply did not exist in 2000.

The Schrems decision should drive home to U.S. lawyers and officials the importance of following the formal structure of the right to redress.

With that in mind, there may be creative ways to address practical problems. One potentially intriguing idea is to explore the possibility of delegated authority, where an independent DPA retains plenary power about enforcement, but can receive assistance from a public or private entity outside of the EU to assist in the investigation. So long as the legal ability of the DPA to protect its citizens remains in place, there may be room for creativity in precisely how that protection is carried out.

What About Surveillance?

The second issue in the Schrems case was the extent of U.S. national security surveillance. In his recommendations to the Court, the Advocate General strongly emphasized this reason for striking down the Safe Harbor. I have written previously about important inaccuracies in that opinion.

The ECJ’s actual decision relied much more on the right to redress than it did on the scope of U.S. surveillance activities. In the Court’s view, the lack of a redress right was a fundamental legal flaw in Safe Harbor, sufficient to make it unlawful. The facts of U.S. surveillance, by contrast, are a subject to be considered in future DPA assessments of adequacy in a particular investigation.

To date, there has been no such investigation by a DPA of how U.S. and EU surveillance practices compare in their protection of individuals’ rights. Nor did the Court discuss the multiple changes to U.S. law and administrative practice in the wake of the Snowden revelations, relying instead on a 2013 study by EU officials.

The emerging debate about rights of the individual concerning surveillance have important parallels to the 1990s debate about individuals’ access rights.

European courts and regulators have made broad statements about the protections individuals in the EU have against government surveillance. In practice, however, European intelligence and law enforcement agencies have extensive powers, and broader powers were enacted, for instance, in France in the wake of the Charlie Hebdo massacre.

To date, EU data protection officials have had little or no role in regulating the intelligence agency practices. As with access rights in the 1990s, there is a large gap between absolutist statements of protection in theory and the way that EU nations address the issues of the day in practice.

The emerging debate about rights of the individual concerning surveillance have important parallels to the 1990s debate about individuals’ access rights.

Based on the 1990s experience with access, the time has come for a more informed and nuanced discussion of EU and U.S. law enforcement and national security practices.

In the 1990s, the European insistence on absolute protection of the access right was eventually tempered by careful attention to the facts on the ground. The Schrems decision said that “essentially equivalent” protections were required for third countries under the Directive. Where the U.S. practices are stricter than EU practices, or at least “essentially equivalent,” then logically there should be a lawful basis for transfer.

In considering the sensitive topic of government surveillance, the EU will need to consider, not only the practices of the U.S. with its numerous legal checks and balances, but also the practices of all the other countries in the world. The U.S. has its Constitution, laws and multiple layers of oversight of surveillance activities (with the latter documented in the appendices to the President’s NSA Review Group and in reports of the Privacy and Civil Liberties Oversight Board).

From the perspective of law and facts, it would not make sense to prohibit transfers to the U.S. due to surveillance while enabling transfers to China, with its Great Firewall and widespread government access within the country. As DPAs consider investigations into the surveillance practices of other countries, they should move toward findings that reflect the practices of the EU, the U.S. and the many other nations in the world that transfer personal data with the EU. DPAs have power to investigate the overall adequacy of privacy protections, including protections against surveillance, but are not compelled by Schrems to make particular findings about the U.S. or other nations.

The ECJ, in Schrems, has affirmed a bedrock principle, that an independent authority must be in place to protect EU citizens’ fundamental right to privacy. At a formal level, independent authorities have this authority when they approve and oversee BCRs and contract clauses, so BCRs and clauses are fundamentally consistent with the right of redress and the Court’s opinion.

There are numerous challenging issues ahead as the EU implements Schrems and moves forward with the General Data Protection Regulation. As in the 1990s, however, there is a legal path forward for transfers of data, especially when the analysis includes a fair understanding of what the EU expects of its own organizations.