TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout
PSR18_Web_300x250-COPY
GDPR-Ready_300x250-Ad

What did the Advocate General decide regarding Safe Harbor?

An Advocate General for the European Court of Justice has just issued a much-anticipated, non-binding opinion regarding the EU/US Safe Harbor Privacy Arrangement (see Advocate General's Opinion in Case C-362/14, Maximillian Schrems v. Data Protection Commissioner). Going beyond the specific question posed in the case, the Advocate General proposed to the European Court of Justice that Safe Harbor as a whole should be deemed invalid.

What question was the ECJ asked to resolve?

The ECJ was asked to consider whether the Irish Data Protection Commissioner "may and/or must" independently evaluate whether the third country (in this case, the United States through the implementation of Safe Harbor) offers "adequate protection" for personal data within the meaning of the European Data Protection Directive (95/46/EC), or whether the Irish Data Protection Commissioner is bound by European Commission's Article 25(6) decision in this regard. The concerns in the underlying case related to the extent of data accessed by the U.S. National Security Agency and other U.S. authorities as described in Edward Snowden's revelations in 2013.

What are some of the key concerns with the Advocate General's opinion?

Although it is clear that the Advocate General's views are motivated by a strong and genuine concern for data protection and civil liberties, it is equally clear that there are issues with the opinion's analysis and conclusions. Among other concerns, the opinion makes frequent references to the U.S. government's perceived "mass and indiscriminate surveillance and interception" of personal data. It does not, however, address nor analyze in any meaningful detail the many changes in U.S. law and policy that have occurred since those revelations came to light.  

The USA Freedom Act was signed by President Obama in June of 2015 and includes provisions protective of privacy and civil liberties, including: elimination of bulk data collection of call data from providers by imposing requirements for specific selection terms; permission for FISA courts to appoint an individual or organization to provide, among other things, legal arguments that advance the protection of individual privacy and civil liberties; requirements for FISA courts to find that the data collection procedures meet applicable standards for data minimization, and allowance of certain nondisclosure orders to be challenged immediately by the recipient. 

With regard to policy changes, President Obama issued in June of 2014 Presidential Policy Decree 28 (“PPD-28”), which applies to all signals intelligence activities (electronic system monitoring) and provides that “[p]rivacy and civil liberties shall be integral considerations” in such activities. PPD-28 sets out specific principles to be followed for safeguarding personal data collected from signals intelligence activities, including: (i) minimization; (ii) data security and access; (iii) data quality; and (iv) oversight. PPD-28 also includes requirements for privacy and civil liberties policy officials, a coordinator for international diplomacy related to foreign inquiries on signals intelligence and periodic reporting by the Director of National Intelligence.

From a transatlantic perspective, the EU-U.S. data protection "Umbrella Agreement" has now been approved by US and European authorities. This Umbrella Agreement establishes a comprehensive, high-level data protection framework for EU-U.S. law enforcement cooperation and to provide safeguards and guarantees of lawfulness for data transfers. In particular, once certain implementing legislation is adopted, EU citizens will under the agreement have the same judicial redress rights as U.S. citizens in case of privacy breaches.  

Moreover, although the opinion suggests that the European Commission has taken no action to update the Safe Harbor since its inception, the European Commission and the U.S. Department of Commerce are engaged in a comprehensive review of Safe Harbor. Such agreement is reportedly "very close" to completion, and would establish an updated Safe Harbor program that addresses the Commission's specific points of concern with the program. 

If adopted, what would the opinion mean for Safe Harbor companies and their European trading partners?

For Safe Harbor companies and their European trading partners, the adoption of the opinion by the full court would cause material disruption to settled global data protection compliance programs, established business relationships and other consequences. Moreover, because the opinion seems to suggest that there would be no effective mechanism that could limit U.S. government access to data, the opinion would arguably apply equally to all data transfers to the United States, whether supported by Safe Harbor, Binding Corporate Rules, standard contractual clauses or other approaches. It would also call into question the validity of European Commission decisions of adequacy for other countries and systems, or at a minimum invite Member State data protection authorities to second guess the validity of the decisions. 

If adopted, what would the opinion mean for European data protection?

The decision would materially lower the protection for European personal data in the United States because it would eliminate the role of the Federal Trade Commission. Regardless of any perceived shortcomings in Safe Harbor enforcement, the reality is that the FTC has pursued dozens of Safe Harbor cases to conclusion, and U.S. companies are greatly motivated by concerns about FTC enforcement actions. It is an extraordinary benefit for European data protection that the FTC will enforce European data protection rights against US companies on US territory. All of this would be forfeited under the views in the opinion. 

What should Safe Harbor companies do now?

Although the Advocate General's opinion is not binding, and there are strong reasons for the ECJ to take a different approach, companies participating in Safe Harbor should begin to consider alternative arrangements in case the full court adopts the same view, such as the preparation of model agreements, reliance on derogations such as consent or perhaps, where practical, development of Binding Corporate Rules. As with all data protection issues, there can be no one-size-fits all solution for these issues. In any event, companies will need to stay tuned to the final developments on the U.S.-EU discussions on Safe Harbor, the implementation of the Umbrella Agreement and the ECJ's approach to these issues.

Photo credit: Marina del Rey California via photopin (license)

3 Comments

If you want to comment on this post, you need to login.

  • comment Brooks Dobbs • Sep 24, 2015
    Thank you Harry, Amy and Brian for this really excellent piece.  In particular thanks for pointing to the elephant in the room - that this isn't an indictment of Safe Harbor so much as it is a indictment of <i>any</i> legal mechanism of transfer to the US.  Having said that, I would ask why we then go to BCRs and MCs as suggested replacements?   Isn't the far simpler solution to just never bring personal data (like cookies, email addresses and IP addresses) of EU citizens into the US?  I say we build a firewall and have the EU pay for it!  Apologies that one seemed to write itself.
  • comment Damon Greer • Sep 24, 2015
    Having served as the director of the U.S.-EU and Swiss Safe Harbor Framework for more than five years (July 2006-September 2011), I think I know a little about the rigors of FTC enforcement, compliance with the Safe Harbor privacy principles and supplemental FAQs and the degree to which U.S. organizations give due diligence to their binding commitments to adhere to the framework (s).   Approximately 25% of the more than 5,000 companies "in" SH are delinquent in keeping their commitments current.  Many of them are no longer in business and haven't been for years.  At first, the Art. 29 WP preferred that they be kept on the public list in order to identify them to EU citizens. Others that have been pursued by FTC enforcement actions either had not been in Safe Harbor and thus were violating the FTC ACT of 1914 -- deceptive trade practices.  Neither BCRs, model contractual clauses, or direct compliance with the supervising authorities in the EU had any credible oversight since their inception and the WP and the national DPAs have remained silent about their efficacy as a viable cross border data protection tool. FTC lacks the resources to actively pursue cases on a regular basis and concentrates on the "low hanging fruit" to demonstrate its role as the enforcement body for SH.  Now, more than 50% of all SH companies use the data protection authorities for third party dispute resolution yet, I can count on one hand the number of complaints they have resolved.  The adequacy finding, moreover, allows national DPAs to suspend cross border data flows based on credible evidence that a SH member has not lived up to its obligations.  There is, however, a provision to suspend the entire framework en masse as the advocate general seems to imply.  Lastly, the Dashboard mentioned that one of the authors of the article was the lead attorney that negotiated Safe Harbor.  Please see the obituary of Barbara Wellbery who lead the International Trade Administration's E-Commerce Task Force and was recognized for her leadership in negotiating Safe Harbor.  The link is provided below.
    
    https://www.washingtonpost.com/archive/local/2003/03/11/washington-lawyer-barbara-lubin-wellbery/982f3d53-9a88-47a3-9943-9095e0a34a28/
  • comment Danny Koning • Sep 29, 2015
    Thank you Brian, Amy and Harry for this contribution. My question relates to this section: "It does not, however, address nor analyze in any meaningful detail the many changes in U.S. law and policy that have occurred since those revelations came to light." Since Europeans citizens have no judicial redress or rights under U.S. law , what would be the point in such a analysis?