EU-US Data Transfer Agreement Invalid-And I lost a bet!

Earlier this month, I chaired a Minnesota CLE on privacy where University of Minnesota Law School Professor William McGeveran  and I had a very public and spirited discussion concerning the expected ruling on a European Court of Justice case initiated by a young Austrian privacy activist, Max Schrems.  At stake was the 15 year old EU-US Safe Harbor Framework that allowed US companies to collect and transfer personal information from the 28 member countries of the EU to the United States.

Our discussion of the case ended with a bet—If the European Court invalidates the Safe Harbor, I buy dinner. If the Safe Harbor remains intact, I win.

Well—I lost the bet.

On October 6, the European Court of Justice ruled in favor of Schrems and that the European Commission’s Decision to establish the EU-U.S Safe Harbor framework is invalid.

What is the Safe Harbor? In Europe, privacy is a fundamental human right. The collection, use, and transfer of personal information is governed by the EU Data Protection Directive. According to this Directive, personal data cannot be transferred to any country outside the EU that is considered to have inadequate data privacy protection. The United States is one of the countries considered to have inadequate data privacy protection. As a result, transfers of personal information from the EU to the United States is prohibited unless the business (a) uses EU approved binding corporate rules (BCR’s), (b) uses EU approved model contract clauses, or (c)(until now) complies with the EU-US Safe Harbor framework.

In 2000, to accommodate EU privacy concerns and permit the transfer of personal data from the EU to the United States, the United States Department of Commerce reached agreement with the European Commission on certain Safe Harbor privacy principles and a process allowing a business to self-certify to the process and privacy principles. Over 4500 companies have participated in the Safe Harbor framework.

In the wake of revelations by Edward Snowden about US government surveillance and the perceived lax enforcement of Safe Harbor compliance, European regulators have publicly questioned the Safe Harbor program. The FTC has responded with a number of enforcement actions and for the past two years the United States and the EU have been considering a new Safe Harbor agreement.

If you’re interested in more information about the Safe Harbor framework (and who wouldn’t be), you can find it on pages 111-116 of A Legal Guide to Privacy and Data Security

What is the potential impact of the October 6 ruling? The EU-US Safe Harbor framework is invalid immediately. A data protection authority (DPA) in the EU is now authorized to examine complaints brought to them by data subjects and to pursue investigative actions as necessary to determine if the transfer of personal data is proper under the relevant data protection laws. Data flows could be suspended and fines imposed. Participating in the Safe Harbor framework no longer offers any protection. We are likely to see a new wave of complaints that might compel a DPA to take some action.

If you are a business that has depended upon safe harbor protection or otherwise is involved in the movement of personal data between the European Union and the United States - Don’t panic.

While the decision takes immediate effect, it is unlikely that the DPA of any particular country will immediately initiate any investigations or challenge the data privacy practices of an American business. It will take some time for each DPA to figure out exactly what it can and should do as result of this decision. Also, this ruling does not give the DPA authority to pursue any business directly but only to investigate any allegations made through a formal complaint. It will likely take some time for the consequences of this decision to percolate through the regulatory and enforcement process.

However, a business should not wait for a complaint to surface. Now is the right time to consider the data flows relative to personal information from the EU and what risks exist with any particular country and DPA. If you depended upon the Safe Harbor, explore the alternative methods for compliance such as EU approved BCR’s, model contract clauses, consent, and others available based upon your unique circumstances. Some large technology companies are already considering EU-based cloud providers or otherwise making sure that personal data never leaves the EU—not even a transfer to a server in the United States. No doubt that the loss of the Safe Harbor will result in a search for new ways to assure compliance with European privacy laws.

How Did This Happen? In 2013 Max Schrems filed a complaint with the Irish DPA claiming that US law and practices provided inadequate protection to personal information of EU citizens. Schrem’s complaint was based on his use of Facebook and the transfer of his personal information to a server in the United States. He alleged that the Snowden revelations and possible government access to his personal information held by Facebook was a violation of EU privacy law. The Irish DPA rejected his complaint, determined that Facebook was covered by the Safe Harbor, and was not required to investigate the matter any further. Schrems then went to the Irish High Court who referred the case to the European Court. The EU Advocate General, who serves as an advisor to the European Court, issued an opinion that that went much further than expected. The Advocate General’s opinion covered not just the rights of a DPA to investigate complaints related to adequacy of privacy protection. It also challenged the validity of the entire Safe Harbor framework. For the most part, the October 6 European Court decision followed the opinion of the Advocate General and declared the entire Safe Harbor framework invalid.

So Why Did I Take That Bet? The United States government had been aggressively lobbying to maintain the Safe Harbor and working with EU officials to keep it going. Thousands of businesses rely upon the Safe Harbor for the movement of information. The Advocate General’s opinion and the European Court ruling went far beyond the narrow questions raised by the Irish High Court. All that the European Court had to do was refer the case back to the Irish High Court with a ruling that a DPA is permitted to further examine Schrems’s complaint. No need to also declare the Safe Harbor invalid. Sometimes politics are as important as the law. This decision clearly demonstrates EU dissatisfaction with the United States approach to privacy and a concern with the Snowden revelations.

Any recommendations for a nice (and inexpensive) place for me to take Professor McGeveran to dinner?