One Giant Leap For Privacy: Europe Strikes Down Safe Harbor, Sweeping the Rug Under the Feet of US Tech Companies

By: Nebyu Retta

 

Overview

 

His name is Maximilian.  It’s not a name we hear everyday in the U.S.  The name itself echoes sentiments of power, prominence and vision.  It’s also perhaps somewhat reminiscent of the great and mighty Roman generals from centuries ago, “Maximas” and “Aemilus.”  Well, maybe I’m taking things too far—especially considering the likelihood that his friends just call him “Max.”

 

On Monday October 6, 2015, the Court of Justice of the European Union (“ECJ”) ruled that the fifteen (15) year International Safe Harbor Privacy Principles (hereinafter, the “Safe Harbor” or “Safe Harbor Principles”) between the U.S. and the European Union (“EU”) are no longer valid for the transfer of personal data from the European Economic Area (“EEA”) to the U.S.

As a result, one thing is for sure—the twenty-eight (28) year old, Maximilian Schrems was able to lead a charge, persuading the EU’s highest court that data privacy protection is fundamental; thereby potentially disrupting data privacy surveillance laws for many years to come.

 

The Safe Harbor

 

The EU Data Protection Directive (hereinafter, the “Directive”) sets forth high standards of privacy protection for EU citizens.  Moreover, it strictly prohibits European firms from transferring personal data to countries with weaker privacy laws.  However, it created exceptions where the foreign recipients have agreed to meet EU standards under the Directive’s Safe Harbor Principles.  The Safe Harbor framework required:

 

  • Notice – People had to be informed that their data was being collected and how it would be used.
  • Choice – People must be afforded an opportunity to opt out of data collection and transfer to third parties.
  • Onward Transfer –Transfer of data to third parties may only occur with other organizations that follow adequate data protection principles.
  • Security– Reasonable measures should be made to prevent loss of collected information.
  • Data integrity– Data needs to be relevant and reliable for the purpose it was collected.
  • Access-Individuals need to be able to access information held about them, and given an opportunity to correct or delete it if it’s inaccurate.
  • Enforcement –There must be an effective means of enforcing these rules.
  • Certification-After an organization opts in, it must re-certify every twelve (12) months—to verify that it meets all the compliance requirements.

 

In the U.S., oversight of the Safe Harbor was delegated to the Federal Trade Commission (“FTC”) and the Department of Commerce (“DOC”).  Yet, only minimal supervision by the European Commission existed.  Accordingly, many viewed the Safe Harbor as merely a loose promise of compliance by the U.S.  Thus, Schrems was able to illustrate that the lack of attention and oversight by U.S. authorities, along with Eric Snowden’s leaks regarding U.S. government surveillance, eventually led to the recent case in which the European Court invalidated the Safe Harbor

 

The ECJ Decision

 

Schrems brought the case to the ECJ on appeal, after initially being shot down by the Irish Data Protection Commissioner.  The High Court’s ruling established that the Safe Harbor agreement was invalid.  In reasoning, the Court focused on protecting individual data privacy as a fundamental and human right.  In particular, the High Court explained that large-scale collection and transfer of personal data with no means of redress or effective judicial protection for EU citizens was a violation of this right.  Furthermore, the High Court emphasized that the Safe Harbor lacked the requisite safeguards of privacy protection and failed to satisfy the requirements of the Directive.  Therefore, the Safe Harbor was deemed invalid effectively.

 

Reaction

 

Accordingly, this decision has received tremendous backlash from policy makers in Washington, DC.  U.S. Secretary of Commerce, Penny Pritzker expressed her disdain for the ruling by describing it as: “[c]reat[ing] significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy.” Yet, companies such as Microsoft and Salesforce have issued statements iterating that the decision will not have a significant impact on their consumer services.

 

Likewise, Schrems seems to share a similar view, stating that: “[t]here are still a number of alternative options to transfer data from the EU to the US. The judgement makes it clear, that now national data protection authorities can review data transfers to the US in each individual case – while ‘safe harbor’ allowed for a blanket allowance. Despite some alarmist comments I don’t think that we will see mayor disruptions in practice.” 

 

Impact

 

Although Schrems seems to think that this decision will not change much in practice—the outcome of this decision is still unclear.  What is clear is that U.S. tech companies will have to continue to ramp up compliance protocols and be aware that Europe is not messing around when it comes to data privacy protection.  EU member states will now be responsible for administering and enforcing data privacy transfer oversight through their own authorities.  Additionally, member states may suspend data transfers that were once allowed within their borders.  This will likely be a nightmare for U.S. tech companies, as they will now have to scramble to figure out how to comply with dozens of data-privacy regulations.

Certainly, U.S. tech companies such as Facebook, Amazon, and Google will have to reassess their means of data transfer.  In doing so, their legal team may decide to reconsider the following:

 

  • Scope—Assessing whether data can be limited in order to circumvent privacy issues
  • Anonymity—Assessing whether there are ways to scrub personal identifiers from data completely
  • Model Contracts—Many Silicon Valley companies are looking into the legality of incorporating such contracts into agreements with the EU.  In the past, the EU has approved certain model contract clauses between member states and foreign entities.  Today, it remains unclear, whether this has now been barred in light of the recent Schrems Ruling.  To be on the safe side, companies wishing to rely on these standardized contractual clauses should consider consulting or renegotiating with each EU data exporter with which they do business to incorporate the appropriate model clauses into their agreements.

 

Bio

Nebyu is a fourth-year evening division student at Suffolk University Law School and a staff member of the Journal of High Technology Law. He received his undergraduate degree in English Studies and Business Administration from The University of South Carolina (Columbia, SC).

Print Friendly, PDF & Email