What did the Advocate General decide regarding Safe Harbor?
An Advocate General for the European Court of Justice has just issued a much-anticipated, non-binding opinion regarding the EU/US Safe Harbor Privacy Arrangement (see Advocate General's Opinion in Case C-362/14, Maximillian Schrems v. Data Protection Commissioner). Going beyond the specific question posed in the case, the Advocate General proposed to the European Court of Justice that Safe Harbor as a whole should be deemed invalid.
What question was the ECJ asked to resolve?
The ECJ was asked to consider whether the Irish Data Protection Commissioner "may and/or must" independently evaluate whether the third country (in this case, the United States through the implementation of Safe Harbor) offers "adequate protection" for personal data within the meaning of the European Data Protection Directive (95/46/EC), or whether the Irish Data Protection Commissioner is bound by European Commission's Article 25(6) decision in this regard. The concerns in the underlying case related to the extent of data accessed by the U.S. National Security Agency and other U.S. authorities as described in Edward Snowden's revelations in 2013.
What are some of the key concerns with the Advocate General's opinion?
Although it is clear that the Advocate General's views are motivated by a strong and genuine concern for data protection and civil liberties, it is equally clear that there are issues with the opinion's analysis and conclusions. Among other concerns, the opinion makes frequent references to the U.S. government's perceived "mass and indiscriminate surveillance and interception" of personal data. It does not, however, address nor analyze in any meaningful detail the many changes in U.S. law and policy that have occurred since those revelations came to light.
The USA Freedom Act was signed by President Obama in June of 2015 and includes provisions protective of privacy and civil liberties, including: elimination of bulk data collection of call data from providers by imposing requirements for specific selection terms; permission for FISA courts to appoint an individual or organization to provide, among other things, legal arguments that advance the protection of individual privacy and civil liberties; requirements for FISA courts to find that the data collection procedures meet applicable standards for data minimization, and allowance of certain nondisclosure orders to be challenged immediately by the recipient.
With regard to policy changes, President Obama issued in June of 2014 Presidential Policy Decree 28 (“PPD-28”), which applies to all signals intelligence activities (electronic system monitoring) and provides that “[p]rivacy and civil liberties shall be integral considerations” in such activities. PPD-28 sets out specific principles to be followed for safeguarding personal data collected from signals intelligence activities, including: (i) minimization; (ii) data security and access; (iii) data quality; and (iv) oversight. PPD-28 also includes requirements for privacy and civil liberties policy officials, a coordinator for international diplomacy related to foreign inquiries on signals intelligence and periodic reporting by the Director of National Intelligence.
From a transatlantic perspective, the EU-U.S. data protection "Umbrella Agreement" has now been approved by US and European authorities. This Umbrella Agreement establishes a comprehensive, high-level data protection framework for EU-U.S. law enforcement cooperation and to provide safeguards and guarantees of lawfulness for data transfers. In particular, once certain implementing legislation is adopted, EU citizens will under the agreement have the same judicial redress rights as U.S. citizens in case of privacy breaches.
Moreover, although the opinion suggests that the European Commission has taken no action to update the Safe Harbor since its inception, the European Commission and the U.S. Department of Commerce are engaged in a comprehensive review of Safe Harbor. Such agreement is reportedly "very close" to completion, and would establish an updated Safe Harbor program that addresses the Commission's specific points of concern with the program.
If adopted, what would the opinion mean for Safe Harbor companies and their European trading partners?
For Safe Harbor companies and their European trading partners, the adoption of the opinion by the full court would cause material disruption to settled global data protection compliance programs, established business relationships and other consequences. Moreover, because the opinion seems to suggest that there would be no effective mechanism that could limit U.S. government access to data, the opinion would arguably apply equally to all data transfers to the United States, whether supported by Safe Harbor, Binding Corporate Rules, standard contractual clauses or other approaches. It would also call into question the validity of European Commission decisions of adequacy for other countries and systems, or at a minimum invite Member State data protection authorities to second guess the validity of the decisions.
If adopted, what would the opinion mean for European data protection?
The decision would materially lower the protection for European personal data in the United States because it would eliminate the role of the Federal Trade Commission. Regardless of any perceived shortcomings in Safe Harbor enforcement, the reality is that the FTC has pursued dozens of Safe Harbor cases to conclusion, and U.S. companies are greatly motivated by concerns about FTC enforcement actions. It is an extraordinary benefit for European data protection that the FTC will enforce European data protection rights against US companies on US territory. All of this would be forfeited under the views in the opinion.
What should Safe Harbor companies do now?
Although the Advocate General's opinion is not binding, and there are strong reasons for the ECJ to take a different approach, companies participating in Safe Harbor should begin to consider alternative arrangements in case the full court adopts the same view, such as the preparation of model agreements, reliance on derogations such as consent or perhaps, where practical, development of Binding Corporate Rules. As with all data protection issues, there can be no one-size-fits all solution for these issues. In any event, companies will need to stay tuned to the final developments on the U.S.-EU discussions on Safe Harbor, the implementation of the Umbrella Agreement and the ECJ's approach to these issues.
Photo credit: Marina del Rey California via photopin (license)