Solving the Unsolvable on Safe Harbor—The Role of Independent DPAs

Since the European Court of Justice (ECJ) announced its Schrems decision on October 6, there has been understandable consternation about what comes next—is there any legal and practical way forward on EU/U.S. data flows?

Fortunately, we have faced a similar situation once before, and solved it. That earlier experience, in the late 1990s, suggests a promising path this time as well. Notably, this path reaffirms the lawfulness of Binding Corporate Rules (BCRs) and model contract clauses, thus providing ongoing, lawful means of transferring personal data to the U.S.

How Safe Harbor Solved the Unsolvable

The signing of the Safe Harbor in 2000 came only after many observers feared there was no legal solution to the differences in EU and U.S. privacy laws. The Data Protection Directive was finalized in 1995, and went into effect in late 1998. One fundamental challenge was that most EU experts believed the U.S. lacked “adequate” privacy protections.

The EU position at the time was similar in three respects to the position today, a mix of:

1) Fundamental rights. The 1995 Directive was enacted to enable flows of personal data within the EU and to protect fundamental rights in privacy.  

2) Legal compliance. Any solution with the U.S. had to meet the legal requirements set forth in the Directive, notably the “adequacy” requirement.

3) Bargaining position. Senior EU officials hoped that the strict provisions of the Directive would put pressure on the U.S. to bring its privacy laws closer to the EU approach.

In the lead-up to Safe Harbor, the right of access was particularly at issue.

In the lead-up to Safe Harbor, the right of access was particularly at issue. Under some U.S. law, such as the Fair Credit Reporting Act, individuals have the right to access records, such as their credit history. More generally, however, there is not an over-arching principle in U.S. law that individuals always have access to the data processed about them. During early negotiations, there was no proposal on the table that could bridge the gulf between the EU and U.S. approaches.

In 1997, Barbara Wellbery, the U.S. official principally leading on the issue, asked me to head a three-person delegation to study the right of access on the ground in seven EU countries. (Brian Hengesbaugh was the Department of Commerce representative for this.)

The facts we discovered added useful context for the EU/U.S. negotiations. We discovered literally dozens of exceptions to the access principle in practice, ranging from no access to the confidential commercial information in a company’s computer systems to no access for students to the test questions from last year’s exams. These factual findings made it possible in the Safe Harbor to affirm the EU fundamental right: “Individuals must have access to information about them that an organization holds.” They also formed the basis for the important exceptions to the access right that actually were followed in Europe, such as where the expense of providing access is disproportionate to the risks to the individual’s privacy, or for confidential commercial information.

This experience with the access right suggests important lessons for today’s challenges.

The U.S. must take European law and practice seriously. It will do little good to fulminate about why the ECJ is wrong—the Schrems decision is now the law. At the same time, the EU should not be able to insist on U.S. practices that are stricter than what the EU expects of its own organizations.           

The Right to Redress Exists for BCRs and Contracts

In seeking a path forward, my suggestion is that we focus on the role of the independent Data Protection Authorities (DPAs), whose authority was stressed repeatedly by the ECJ. The opinion stated a theme that has long been voiced by EU data protection experts: The individual EU citizen must have recourse to an independent authority to hear the citizen’s data protection concerns. This right to recourse to an independent authority, in the Court’s view, is essential to the protection of the fundamental right to privacy. European DPAs therefore, says the Court, must have the ability to make an independent investigation of the adequacy of transfers out of the EU.

The U.S. must take European law and practice seriously ... At the same time, the EU should not be able to insist on U.S. practices that are stricter than what the EU expects of its own organizations. 

This bedrock finding of the ECJ distinguishes the Safe Harbor from BCRs and model contracts.The ECJ struck down the Safe Harbor because there was not sufficient investigatory authority and enforcement under the control of an independent DPA. By contrast, a company’s BCRs are approved by an EU DPA. Similarly, transfers by means of contracts are under the authority of an EU DPA.

The individual’s right to redress is intact under both BCRs and contracts. The right to redress by an independent authority should be familiar to any U.S. lawyer. The U.S. Supreme Court said many years ago that “a right without a remedy is no right at all.” American lawyers are also familiar with the insistence on independence for the protection of rights—a 4th Amendment warrant for a search or seizure requires a “neutral magistrate.”

Where reasonable people might differ is on who constitutes a sufficient form of independent authority. The Safe Harbor put enforcement authority in the Federal Trade Commission (FTC), the agency whose independence was affirmed by the U.S. Supreme Court in 1935 in the Humphrey’s Executor case. In my view, the ECJ did not challenge the FTC’s independence. Instead, the ECJ critiqued the scope of the FTC’s jurisdiction, which applies to defined commercial activities but not national security.

The scope of FTC jurisdiction has become more relevant due to changes in EU law between the 2000 Safe Harbor and today. The Safe Harbor focused on transfers by commercial companies for commercial purposes, which fit the original EU legal approach of a Common Market for commercial activity. Since 2000, the legal scope of the European Union has expanded, notably through the Lisbon Treaty, which entered into effect in 2009. This treaty gave the EU a greater role in non-commercial areas such as the “area of freedom, security and justice.” It also, as exemplified by the Schrems decision, made the EU’s Charter on Fundamental Rights legally binding.

With Safe Harbor, the EU and U.S. solved what had seemed the unsolvable: The two sides created a legal structure that lasted 15 years, which is not bad for a diplomatic solution in a complex world.

This history allows a more sympathetic perspective on the original lawfulness for Safe Harbor. Within the logic of EU law, the defined scope of FTC jurisdiction became more important over time, as EU law applied in a more binding way to non-commercial activities. The surveillance activities of the U.S. government were not, in my view, within the scope of the original Safe Harbor. Under the Lisbon Treaty, we can see why they could be found relevant today.

In my view, the history also permits a positive view of what Safe Harbor accomplished, despite the recent ruling of its current illegality.

With Safe Harbor, the EU and U.S. solved what had seemed the unsolvable: The two sides created a legal structure that lasted 15 years, which is not bad for a diplomatic solution in a complex world.

Those fifteen years gave both regions time to build up an infrastructure of compliance with data privacy laws. Today, we have thousands of certified company privacy professionals, teamed with experienced counsel. By contrast, the year 2000 saw introduction of the title “Chief Privacy Officer” for any major U.S. corporation. For many global corporations, there are solutions today such as BCRs that simply did not exist in 2000.

The Schrems decision should drive home to U.S. lawyers and officials the importance of following the formal structure of the right to redress.

With that in mind, there may be creative ways to address practical problems. One potentially intriguing idea is to explore the possibility of delegated authority, where an independent DPA retains plenary power about enforcement, but can receive assistance from a public or private entity outside of the EU to assist in the investigation. So long as the legal ability of the DPA to protect its citizens remains in place, there may be room for creativity in precisely how that protection is carried out.

What About Surveillance?

The second issue in the Schrems case was the extent of U.S. national security surveillance. In his recommendations to the Court, the Advocate General strongly emphasized this reason for striking down the Safe Harbor. I have written previously about important inaccuracies in that opinion.

The ECJ’s actual decision relied much more on the right to redress than it did on the scope of U.S. surveillance activities. In the Court’s view, the lack of a redress right was a fundamental legal flaw in Safe Harbor, sufficient to make it unlawful. The facts of U.S. surveillance, by contrast, are a subject to be considered in future DPA assessments of adequacy in a particular investigation.

To date, there has been no such investigation by a DPA of how U.S. and EU surveillance practices compare in their protection of individuals’ rights. Nor did the Court discuss the multiple changes to U.S. law and administrative practice in the wake of the Snowden revelations, relying instead on a 2013 study by EU officials.

The emerging debate about rights of the individual concerning surveillance have important parallels to the 1990s debate about individuals’ access rights.

European courts and regulators have made broad statements about the protections individuals in the EU have against government surveillance. In practice, however, European intelligence and law enforcement agencies have extensive powers, and broader powers were enacted, for instance, in France in the wake of the Charlie Hebdo massacre.

To date, EU data protection officials have had little or no role in regulating the intelligence agency practices. As with access rights in the 1990s, there is a large gap between absolutist statements of protection in theory and the way that EU nations address the issues of the day in practice.

The emerging debate about rights of the individual concerning surveillance have important parallels to the 1990s debate about individuals’ access rights.

Based on the 1990s experience with access, the time has come for a more informed and nuanced discussion of EU and U.S. law enforcement and national security practices.

In the 1990s, the European insistence on absolute protection of the access right was eventually tempered by careful attention to the facts on the ground. The Schrems decision said that “essentially equivalent” protections were required for third countries under the Directive. Where the U.S. practices are stricter than EU practices, or at least “essentially equivalent,” then logically there should be a lawful basis for transfer.

In considering the sensitive topic of government surveillance, the EU will need to consider, not only the practices of the U.S. with its numerous legal checks and balances, but also the practices of all the other countries in the world. The U.S. has its Constitution, laws and multiple layers of oversight of surveillance activities (with the latter documented in the appendices to the President’s NSA Review Group and in reports of the Privacy and Civil Liberties Oversight Board).

From the perspective of law and facts, it would not make sense to prohibit transfers to the U.S. due to surveillance while enabling transfers to China, with its Great Firewall and widespread government access within the country. As DPAs consider investigations into the surveillance practices of other countries, they should move toward findings that reflect the practices of the EU, the U.S. and the many other nations in the world that transfer personal data with the EU. DPAs have power to investigate the overall adequacy of privacy protections, including protections against surveillance, but are not compelled by Schrems to make particular findings about the U.S. or other nations.

The ECJ, in Schrems, has affirmed a bedrock principle, that an independent authority must be in place to protect EU citizens’ fundamental right to privacy. At a formal level, independent authorities have this authority when they approve and oversee BCRs and contract clauses, so BCRs and clauses are fundamentally consistent with the right of redress and the Court’s opinion.

There are numerous challenging issues ahead as the EU implements Schrems and moves forward with the General Data Protection Regulation. As in the 1990s, however, there is a legal path forward for transfers of data, especially when the analysis includes a fair understanding of what the EU expects of its own organizations.

photo credit: 378 - Red Puzzle Texture via photopin (license)

Written By

Peter Swire, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»