News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Tracker Privacy Tracker

Alerts and legal analysis of legislative trends

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Member Directory Privacy List Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 Member Directory

Locate and network with fellow privacy professionals using this peer-to-peer directory.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 GDPR Training

Learn the legal, operational and compliance requirements of the EU regulation and its global influence.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 CIPP/E + CIPM = GDPR Ready CIPP/E + CIPM = GDPR Ready

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for GDPR readiness. Learn more today.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
Privacy and AI Governance Report

This report explores the state of AI governance in organizations and its overlap with privacy management.

2023 IAPP Privacy Professionals Salary Survey

This report explores the compensation, both financial and nonfinancial, offered to privacy professionals.
Privacy and Consumer Trust Report

This report shines a light on what consumers around the globe think about privacy and the companies that collect, hold and use their data.
IAPP-EY Annual Governance Report 2022

This year’s governance report goes back to the foundations of governance, exploring “the way that organizations are managed, and the systems for doing this."
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
International Data Transfers

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to international data transfers.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Vendor Marketplace

Use the Vendor Demo Center, Privacy Vendor List and Privacy Tech Vendor Report to easily identify privacy products and services to support your work.
Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the country’s privacy field deliver insights, discuss trends, offer predictions and share best practices.

Data Protection Intensive: Nederland Data Protection Intensive: Nederland

Hear expert speakers address the latest developments in data protection globally and in the Netherlands.

 Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Data Protection Intensive: Deutschland Data Protection Intensive: Deutschland

Join top experts for practical discussions of issues and solutions for data protection in the DACH region.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. 2023 is the place for speakers, workshops and networking focused on the intersection of privacy and technology.

Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts predict the evolving landscape and give insights into best practices for your privacy operation.

Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | What Really Sank Safe Harbor? Related reading: LIBE Committee to Commission: Why Did Safe Harbor Last 15 Years?

rss_feed

""

Not everyone in politics and government are fools, any more than in the private sector. Many must have known about the U.S. National Security Agency (NSA) and its partner agencies' surveillance activities for the 30 to 40 years since they entered the public domain. Yet last week, the European Court of Justice (ECJ) invalidated the Safe Harbor decision, apparently because of the NSA post-Snowden.

Or so we have been told many times by many people, not least by Max Schrems. Some are even encouraging us to believe that all we have to do is tell the NSA to play nice and everything will sort itself out with a "Safe Harbor 2.0" agreement.

This is a serious logical disconnect, exacerbated in the adequacy context when you consider the well-known fact that the EU member states do not come with anything close to clean hands. Something does not compute here. So let us go beyond the rhetoric.

Of the final two paragraphs set out in the ECJ judgment, the second is uninteresting, merely invalidating Safe Harbor. The first paragraph, however, sets out the nominally procedural judgment, in a nutshell, that member states and their regulators can challenge any European Commission decision that might conflict with the European Charter of Fundamental Rights. This mirrors Advocate General (AG) Yves Bot’s opinion (paragraphs 98, 116).

Fundamental rights always have been a part of European law, embedded albeit vaguely in the treaty itself. However, between 1999 and 2007 they were consolidated and codified as coming into force with the Treaty of Lisbon in December 2009. They effectively imported Winston Churchill's European Convention on Human Rights, to which the EU recently had become signatory. Unlike the Convention, whose effect is only "vertical," against governments, the Charter also can be used "horizontally" in the private sector.

The significance of this goes far beyond the Schrems case and indeed Safe Harbor, which could be only one of the casualties. 

The regulators and courts in member states now will be able to review all adequacy decisions—by implication this would include the "approved" nation list, such as Canada, New Zealand, Israel, Uruguay, etc. As the AG put it (paragraph 104), such decisions may be no more than "presumptions" which are "rebuttable." On the other hand, alternative regimes such as Binding Corporate Rules, standard clauses and seals should be quite survivable against most regulators, if only because they come "pre-loaded" with considerable regulatory endorsement. Of course they will not necessarily survive private court challenges on a company-by-company basis.

Conceptually, the Charter's privacy components could be seen as symbolizing the merger of the business and government strands of privacy thinking originally initiated by Louis Brandeis in 1890 and Churchill in 1948. However, it has extraordinary power. Reviewing some of the data protection track record of the Charter's Articles 7 and 8:

  • In 2014, the ECJ struck down an entire enactment of the European Parliament: the Data Retention Directive;
  • In 2015, the Court of Appeal of England and Wales (EWCA) struck down, in effect, an entire Act of Parliament: the Data Retention and Investigatory Powers Act 2014, the 2014 UK attempt at a "snooper's charter" following the demise of the Directive;
  • In 2015, in the horizontal Vidal-Hall v Google case, the EWCA also struck down s.13(2) of the Data Protection Act 1998, obstructing plaintiffs from seeking damages for non-pecuniary/unquantifiable loss (note this is subject to appeal);
  • In Vidal-Hall, the EWCA also "discovered" the tort of misuse of private information, bypassing all adequacy regimes (permission to appeal refused);
  • Now we have Schrems, a kind of horizontal case with a vertical digression, in which the ECJ has struck down the EC's Safe Harbor decision.

Prima facie, it appears the factual scope of the Schrems procedural appeal was limited to the NSA revelations. However this is misleading.

As the AG said, “Not all aspects of the functioning of the safe harbour scheme have been discussed in ... (these proceedings), and for that reason I do not consider it possible to embark here on an exhaustive examination of the shortcomings of that scheme.” Perhaps he was hinting at a whole succession of public- and private-sector privacy events post-9/11.

For example, the passenger name record (PNR) arrangements imposed by the U.S. forced European airlines to choose, per flight. between committing hundreds of criminal offences in Europe or paying $5,000 per passenger, opening both a comity gap and a "trust gap," which has only widened. The U.S. was always well aware of this; for instance, I was invited to brief a congressional committee chairman on that very point following my speech at a security conference more than 10 years ago. If anything, the NSA is merely the final, minor straw. In passing, PNR now may expect a Schrems-like challenge: Arguably, PNR was always on flimsier ground than Safe Harbor.

Is Safe Harbor 2.0 possible? Of course.

But as a matter of logic and law it must go the same way as the first, until and unless the substance—as distinct from the label—of the regime complies with the Charter. See the AG's comments at 224-5.

It seems to me that the Charter is being wielded by courts in Europe in similar ways to courts in the U.S. wielding the Constitution: that is, to strike down noncompliant decisions of the executive and noncompliant acts of the legislature. This is unprecedented, especially for the UK, in which the last time someone challenged the supremacy of Parliament, 370-odd years ago, they cut his head off.

For avoidance of doubt, nothing said above is legal advice.

photo credit: The Sweepstakes Shipwreck 1 via photopin (license)

Author
Headshot Stuart Ritchie Nonmember Contributor
Tags
Europe
U.S.
Privacy Law
Transborder Data Flow
3 Comments

If you want to comment on this post, you need to login.

  • comment Michael Hopp • Oct 21, 2015 
    Thanks for a great article. 

You mention that standard clauses should be survivable against most regulators. Have you considered that standard clauses come with built-in right for nation DPAs to prohibit transfers based on the standard clauses, see article 4 (1) (a) of the Commission decisions regarding C2C as well as C2P standard clauses, if 

"it is established that the law to which the data importer or a sub-processor is subject imposes upon him requirements to derogate from the applicable data protection law which go beyond the restrictions necessary in a democratic society as provided for in Article 13 of Directive 95/46/EC where those requirements are likely to have a substantial adverse effect on the guarantees provided by the applicable data protection law and the standard contractual clauses".

The same issue is dealt with in clause 5 of the standard clauses, see for example clause 5(b) of the C2P standard clauses: 

"The data importer agrees and warrants: ... (b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract"

It will be interesting to see national DPAs enforce these provisions against transfers to a number of third countries, including India and China.
  • comment Stuart Ritchie • Oct 22, 2015 
    @Michael: thanks for your comments on standard clauses (sometimes misleadingly called "model" clauses). I agree. You are quite right and this in part is what makes standard clauses "survivable", as they always provided wiggle room for the regulators. The Charter of course raises the bar, making intervention a little more likely, most especially from aggrieved DPAs responsible for affected data subjects away from the company's forum-shopped main European establishment (the erstwhile "one-stop-shop"). As for other "survivability" attributes, standard clauses go some way to covering off other Directive objectives, such as data subject remedy (the seventh Safe Harbor principle usually honored only in the breach). Interestingly, Jon Neiditz has inferred that the protections of standard clauses indirectly may extend beyond the EU (https://www.linkedin.com/pulse/how-safe-harbors-death-empowers-non-europeans-spawns-jon-neiditz)

(Likewise the reason that BCRs seem survivable is that they require DPA unanimity prior to approval, thus only changes in law or regulator attitudes should imperil them)

In general I would expect regulatory challenge to companies using the standard clause regime, at least in the early stages, to focus on the low-hanging fruit, as it were: those companies attempting to use it to self-certify while ignoring their substantive obligations. It seems likely the regulators will be able easily to identify these by randomly piggybacking on private court cases or news reports. In the short term it might seem viable to hide in the forest. However, with fines multiplying approximately a hundredfold in two years time (the GDPR) this may not be a good time for businesses to establish a bad track record.
  • comment Teresa Schoch • Oct 23, 2015 
    Thank you, Stuart. I really appreciate how you can cut right through to the important aspects of EU privacy protective measures that can really only be understood by framing them within their historical references. I will be citing this work frequently.
Related Stories
Five Myths About Safe Harbor
5
I have been thinking a lot recently about the days at the U.S. Department of Commerce (DoC) back in the late 1990s when we negotiated the U.S.-EU Safe Harbor Privacy Arrangement (Safe Harbor) with the European Commission (EC). I remember the first time that I met Barbara Wellbery, the chief architec...
Read More queue Save This
Related Stories
Tags
Europe
U.S.
Privacy Law
Transborder Data Flow
Recent Comments