The Demise of the EU-U.S. Safe Harbor Agreement

in Federal Legislation, Legislation in Court
January 28th, 2016

Maximillian Schrems, an Austrian law student, is at the center of a monumental shift in data relations between the United States and the European Union; a shift that revolves around a clash in philosophies regarding data privacy.

The EU views privacy as a fundamental human right. The U.S. does not. Americans seem willing to relinquish control of personally identifying data, as long as the data is protected and used responsibly. When a company does not protect personal data, Americans express their displeasure in the form of civil litigation rather than legislation.

In comparison, the EU codified data privacy rights in 1995 in Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, P. 31) (“Data Protection Directive”). This directive provides strong data privacy rights for EU citizens. Most notably, each EU citizen has the right to, at any time, revoke previously given consent to obtain or use personally identifying data, access their own personally identifying data, and correct that personally identifying data.

Because of these stronger data privacy rights, the transfer of personally identifying data from the EU to the U.S. concerns many EU citizens and policy makers. The primary fear, which was intensified by the Edward Snowden revelations, is that U.S. companies will not respect EU Data Privacy Laws.

Under the Data Protection Directive, companies can legally transfer data from the EU to the U.S. by obtaining consent from the data owner, entering into data protection agreements, creating binding corporate rules, or implementing model clauses. These methods are far from ideal, however. They are expensive and subject U.S. companies to the jurisdiction of EU Data Privacy Commissions.

As e-commerce, remote work, and social media grew in popularity, the digital transfer of personal data became a regular part of daily life and existing data transfer methods proved unwieldy and burdensome. In response, the U.S.-EU Safe Harbor Agreement (“Safe Harbor”) addressed these concerns by creating a streamlined process for U.S. companies to comply with the Data Protection Directive. Companies that self-certify with the FTC under Safe Harbor agree to abide by the principles of EU data privacy laws but are under FTC jurisdiction instead of EU jurisdiction.

While Safe Harbor addresses the concerns of U.S. companies, many in the EU criticize Safe Harbor as ineffective, maintaining that the self-certification process and lack of substantive enforcement renders Safe Harbor meaningless. In addition, classified documents made public by Edward Snowden in 2013 indicate that certain U.S. intelligence services allegedly tap into the central servers of major U.S. Internet companies and access personal data. By comply with U.S. law and allowing the government access to this data, companies cannot also adhere to the data privacy principles agreed to under Safe Harbor.

This very concern prompted Maximillian Schrems to file a complaint with the Irish Data Protection Commissioner regarding his personally identifying data collected by Facebook. As a Facebook user for over seven years, Mr. Schrems contends that a portion (if not all) of his data was transferred from Facebook’s Irish subsidiary to Facebook data servers located in the U.S.

The Irish Data Protection Commission originally rejected Mr. Schrems’ complaint, citing the Safe Harbor agreement as sufficient evidence that Facebook provided adequate levels of protection for the personally identifying data transferred to the U.S..

While Facebook is Safe Harbor certified, Mr. Schrems maintains that the Snowden revelations prove that U.S. law and policy are such that it is impossible for a company to simultaneously comply with Safe Harbor standards and U.S. law. As such, Mr. Schrems appealed his case to the High Court of Ireland.

On Sept 23, 2015 Advocate General Yves Bot (“AG Bot”) issued a strongly worded opinion in Maximillian Schrems v. Data Protection Commission (case C-362/14), urging the Court of Justice of the European Union to suspend the existing Safe Harbor Agreements.

Less than two weeks later, the Court of Justice of the European Union did just that. On October 6, 2015 the Court invalidated Safe Harbor, declaring that Safe Harbor compromises the fundamental right to privacy, denies the right to judicial protection, and prevents enforcement of EU laws.

Effective immediately, the Court of Justice’s ruling creates very real problems for any U.S. company that relies on Safe Harbor to transfer data from the EU to the U.S. As of October 6, both future and all past data transfers completed under Safe harbor are illegal.

Adding to the confusion is the fact that the European Commission and U.S. authorities are in the process of negotiating Safe Harbor reforms. The Court of Justice’s decision to invalidate Safe Harbor full stop creates an abrupt and unexpected obstacle for these negotiations. The ambiguity surrounding the legal and political future of personal data transfer from the EU leaves U.S. companies, operating under Safe Harbor, a choice between a limited set of less than ideal options:

1. Immediately cease all data transfer and update current systems and processes to comply with the EU Data Protection Directive. While being extremely disruptive to business, it may also be difficult to completely shut off all forms of data transfer (such as employee information needed for hiring and payroll) between the U.S. and the EU.
2. Continue operating as normal while concurrently developing new systems, hoping that the EU delays enforcing the Data Protection Directive and allows formerly Safe Harbor certified companies an opportunity to update systems and processes in order to comply with the Data Protection Directive outright. While the business may not suffer the full effects of a shutdown, a potentially substantial risk of legal proceedings exists.
3. Implement an interim solution that ceases all non-essential transfers of personal data and focuses on ensuring compliance for critical data transfers, while waiting for the European Commission and U.S. authorities to continue their Safe Harbor reform negotiations. Relying on a diplomatic solution is a gamble that some companies may be willing to take. If a satisfactory solution cannot be worked out politically, then there is always Option 4.
4. Cease all business in the EU that may result in the transfer of personal data from the EU to the U.S.. This response to the Court of Justice’s ruling may seem extreme, but for smaller businesses it may end up being the most economically rational response if the cost of compliance is greater than the benefit of doing business in the EU.

None of these options are ideal and each one presents significant challenges and uncertainty for U.S. companies. Not only will the initial expense of updating technological systems and business processes be expensive and time consuming, but the potential of increased oversight, auditing, and regulatory action imposed by EU Data Commissions will also result in a rise in the daily operating costs of any company that transfers personal data from the EU to the U.S.

The full extent of the damage caused by the demise of Safe Harbor remains unknown, but one thing is certain: this change in data relations between the U.S. and the EU signals a substantial increase in the cost of doing business in and with the EU.

 

Deborah J. Hinck is a Colorado native who has recently adopted Boston, Massachusetts as home. She received her B.S. with a double major in Electrical Computer Engineering and Applied Mathematics from the University of Colorado and her M.A. in Communications from the University of Washington. Deborah is expected to graduate from Boston University with a Juris Doctor in Spring 2017. She is interested in technology law and policy, including intellectual property, digital privacy, and digital security. Deborah hopes to contribute in these areas in the future.