No More Safe Harbor, U.S. Companies Should Tread Lightly

Blog Posts 0 Comments

ECJ v. USA 1

By: Corinne Moini,

“Depending on whom you talk to and what month it is, the United States and the European Union are either on the brink of a digital trade war or reaching a historic e-commerce deal.”[1] The current state of disarray between the two parties is due to a landmark European Court of Justice (“ECJ”) decision. More specifically, on October 16, 2015, the ECJ invalidated the fifteen-year U.S.-EU Safe Harbor Framework, a data-storage agreement between the United States and the European Union.[2] The case in which the ECJ’s groundbreaking decision came from is Maximillian Schrems v Data Protection Commissioner.[3] Where Schrems, an Austrian law student, filed a complaint with the Irish Data Protection Commissioner (“DPC”) about Facebook transferring large amounts of his personal information to the United States.[4] The complaint was filed in a post-Snowden era, expressing concern for how little data protection existed against surveillance by the United States.[5] The DPC rejected his complaint and Schrems appealed his claim to the Irish High Court, which was referred to the ECJ for clarifications.[6]

The ECJ issued a much broader holding, answering the immediate question about DPC authority and invalidating the U.S.-EU Safe Harbor Agreement.[7] The ECJ held that the Safe Harbor agreement does not provide adequate protection. This agreement allowed American companies “to self-certify” that they were providing “adequate protection” for the data of European users.[8] The Court suggests that the Safe Harbor agreement “enables interference, by United States public authorities, with the fundamental rights of persons,”[9] and to permit this agreement to continue would be “compromising the essences of the fundamental respect for private life…and of the fundamental right to the rule of law.”[10]

Even more unsettling to the United States, is the looming legal enforcement against American companies, if they do not implement protections that align with European data security laws. The Working Party 29, an association of European Data Protection Commissioners,[11] has threatened to begin legal enforcement after February 1, 2016, if a new agreement between the two parties cannot be made.[12] The end of the safe harbor agreement affects over 4,000 U.S. companies that outsource data from the EU to the United States.[13] As we are entering the third week of February, it is clear that deadline for a new agreement has passed. However, the European national data protection agencies have delayed legal enforcement against American companies because the European Commission announced a tentative agreement called the EU-U.S. Privacy Shield.[14] The deal makes several changes to the previous agreement; but most of which are “toothless…including expedited dispute resolution requirements, [and] [additional] layers of annual reviews and expand[ed] privacy bureaucracies at both the Department of Commerce and the Federal Trade Commission.”[15] The European data agencies are currently reviewing the EU-U.S. Privacy Shield and anticipate a decision regarding the new agreement by the end of March. Until then U.S., privacy lawyers remain wary. Brian Hengesbaugh, a lawyer at Baker & McKenzie, who helped negotiate the original safe harbor deal in 2000, commented, that “the ruling is so sweepingly broad that any mechanism used to transfer data from Europe could be under threat.”[16] For now, American companies that collect data from the EU should implement new data protection laws and tread lightly.

 

[1] Abraham Newman, After Safe Harbor: Bridging the EU-U.S. Data-Privacy Divide, World Politics Review (Feb. 9, 2016), http://www.worldpoliticsreview.com/articles/17898/after-safe-harbor-bridging-the-eu-u-s-data-privacy-divide.

[2] See U.S.-EU Safe Harbor Framework, Federal Trade Comm’n, https://www.ftc.gov/tips-advice/business-center/privacy-and-security/u.s.-eu-safe-harbor-framework (last updated Nov. 6, 2015).

[3] See Case C-362/14, Maximillian Schrems v. Irish Data Protection Commissioner, InfoCuria, http://curia.europa.eu/juris/liste.jsf?pro=&lgrec=en&nat=or&oqp=&dates=&lg=&language=en&jur=C%2CT%2CF&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&num=C-362%252F14&td=%3BALL&pcs=Oor&avg=&page=1&mat=or&jge=&for=&cid=284436 (last visited Feb. 15, 2016).

[4] See id.

[5] See Max Schrems v Irish Data Protection Commissioner (Safe Harbor), Elec. Privacy Info. Ctr., https://epic.org/privacy/intl/schrems/ (last visited Feb 15, 2016).

[6] See id.

[7] See Donald G. Aplin, Views on the Invalidation of the U.S.-EU Safe Harbor From James H. Koenig, Of Counsel, Paul Hastings, Bloomberg BNA (Nov. 23, 2015) http://www.bna.com/views-invalidation-useu-n57982063840/.

[8] BBC http://www.bbc.com/news/technology-34442618.

[9] Press Release, Court of Justice of the European Union, The Court of Justice declares that the Commission’s US Safe Harbour Decision is Invalid (Oct. 6, 2015)
(available at http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf).

[10] Id.

[11] See EU Data Protection Directive, Elec. Privacy Info. Ctr., https://epic.org/privacy/intl/eu_data_protection_directive.html (last visited Feb 15, 2016).

[12] See Kelli Clark, The EU Safe Harbor Agreement Is Dead, Here’s What To Do About It, Forbes (Oct. 27, 2015) http://www.forbes.com/sites/riskmap/2015/10/27/the-eu-safe-harbor-agreement-is-dead-heres-what-to-do-about-it/#ba5b29971719.

[13] See Mark Scott, Data Transfer Pact Between U.S. and Europe Is Ruled Invalid, NY Times (Oct. 6, 2015) http://www.nytimes.com/2015/10/07/technology/european-union-us-data-collection.html.

[14] Press Release, European Commission, EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield (Feb. 2, 2016) http://europa.eu/rapid/press-release_IP-16-216_en.htm.

[15] Larry Downes, The Business Implications of the EU-U.S. “Privacy Shield,” Harvard Business Review (Feb. 10, 2016) https://hbr.org/2016/02/the-business-implications-of-the-eu-u-s-privacy-shield.

[16] Mark Scott, supra note 12.

 

Photo Source:  http://cdn.static-economist.com/sites/default/files/imagecache/full-width/20151010_IRD001.jpg