Data Transfers: EU Court Declares EU/US Safe Harbor “Invalid” – What Now?
U.S. companies with European business will most likely mark 6 October 2015 as a dark day on their calendars. The highest EU court, the European Court of Justice (ECJ) in Luxembourg, declared a fifteen-year-old longstanding EU decision authorizing a EU/US Safe Harbor “invalid.” The judgment is not appealable. This is a serious issue for the entire industry. According to the European Commission, the United States is a country with “inadequate” data protection laws. The European Commission and the U.S. Department of Commerce, therefore, agreed in 2000 to a self-certification program for U.S. organizations that receive personal data from Europe. Pursuant to the self-certification program, a U.S. organization receiving personal data from Europe must certify that it adhered to certain standards of data processing comparable to EU data protection laws such that the EU citizens’ personal data was treated as adequately as if their personal data had remained in Europe. The Safe Harbor program is operated by the U.S. Department of Commerce and enforced by the Federal Trade Commission (FTC). Over 4,000 organizations have current self-certifications of adherence to the Safe Harbor principles. Thanks to the landmark ECJ decision, this Safe Harbor is now thrown into jeopardy.
The ECJ decision poses significant challenges in particular for U.S. companies. Section 106 of the decision reads as follows: “Having regard to all the foregoing considerations, it is to be concluded that Decision 2000/520 is invalid.” This invalidates the EU Commission’s decision on the establishment of EU/US Safe Harbor issued fifteen years ago. The Court is crystal clear. This key decision is invalid, and data transfers relying on the Safe Harbor program thus lack any legal basis. But what does this mean for international businesses? Do all data flows to the U.S. need to stop immediately? A transitional period, during which Safe Harbor would remain valid—a tool the German Federal Constitutional Court frequently uses to mitigate the consequences of laws it renders unconstitutional—is not mentioned in the decision. If and when the EU and the U.S. will reach a deal on a “new SH” remains anyone’s guess, given the high bars set in the ECJ judgment. Many observers are generally pessimistic about the success of such negotiations and are concerned about its broader negative impacts on the Transatlantic Trade and Investment Partnership (TTIP) negotiations. They feel that TTIP could be delayed even further.
European companies that have relied on the Safe Harbor program for many years, and their U.S. partners, are now in an awkward situation. The U.S. partners (the data importers) have acted in good faith, relying on the validity of the Safe Harbor program through voluntary registrations on the public Safe Harbor list managed by the U.S. Department of Commerce. They are exposed to the U.S. authorities, knowing that any lackluster implementation of the Safe Harbor Principles within the company could trigger investigations or even sanctions by the Federal Trade Commission that oversees the program. For these companies, the ECJ has pulled the rug out from under their feet. Even the data protection authorities in Europe don’t seem too excited about the decision. They already battle with limited resources and now, on top of their heavy workload, may need to cope with an avalanche of individual complaints and requests for individual approvals of data transfers by companies and other data exporters, not to mention the risk of additional lengthy litigation in court.
The impacts of the ECJ judgment go far beyond the Safe Harbor Program, while the underlying facts are not fully on the table. A few hours after the publication of the decision was rendered in Luxembourg, the EU Commission rushed into a press conference to calm down the storm. Two EU Commissioners stepped forward and stated that the ECJ’s invalidity ruling only affects the EU/U.S. Safe Harbor Program. There would still be ample room for other legal bases to safeguard the flow of EU data to the United States, such as the EU standard clauses. They also referred to the so-called Binding Corporate Rules (pre-approved group-wide policies), which in practice are deemed too bureaucratic and too costly for most companies. The UK Information Commissioner also entered the fray on that day and reassured industry on its website that regulators understand that moving away from Safe Harbor to other compliance mechanisms takes time.
But the question remains: How reliable are these legal alternatives? The same arguments put forward by the ECJ to invalidate Safe Harbor can and should be applied to the EU standard contractual clauses, prior authorizations, and the Binding Corporate Rules. These data transfers and data storages can also be monitored by U.S. intelligence. Section 90 of the judgment states:
“[…] the Commission found that the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security. Also, the Commission noted that the data subjects had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.”
To clarify the Court’s statements raised above, these statements generally apply to all data transfers to the U.S., not only to data transfers under Safe Harbor. For the ECJ judges, these vague findings of the Commission were already sufficient to ramp up their heavy artillery and rule that the Safe Harbor Program is invalid. But the statements in Section 90 don’t warrant the ruling, for example:
a) By criticizing “U.S. surveillance,” the ECJ is moving on thin ice. It is already sufficient for the ECJ that the U.S. authorities “were able” to access the data (as described in Section 90). Even after the Snowden revelations, there is still no clear evidence for this, especially not for a nexus between the Safe Harbor data and an “access” to it by the U.S. authorities. Moreover, since 2013, when the mentioned EU report came out, a number of new legislative measures restricting bulk data collections were put into place, such as, most recently, the USA Freedom Act of 06/02/15. The U.S. government points to the data retention laws in Europe with millions of traffic data records that are available to the European authorities. In fact, Germany is in the process of adopting its own law. But the ECJ didn’t address the eavesdropping situation within the EU at all. With a lot of blame going around on both sides, the debate shows that eavesdropping on EU citizens and bulk data collections by the NSA remain emotionally charged political issues. These issues should be resolved between the governments. A political settlement would also need to include other alleged bulk data collectors, such as the British authorities. Instead of leaving this dispute on the political level where it belongs, the ECJ, catering to activists who are frustrated that not much progress has been made, imposes requirements on industry that, due to conflicting laws in each jurisdiction on data access and data collections, may not be able to comply with the ECJ ruling.
b) The second observation of the ECJ in section 90 is the deficit of legal protection for EU data subjects in the United States. This concern is easier to understand, but the lack of judicial access and effective remedies also affects all U.S. data transfers, not only the Safe Harbor program. The current rules in the United States may not be sufficient for EU citizens to seek access and redress when their personal data are transferred and stored in the United States, but this complaint has been hanging in the air for many years and doesn’t warrant a court ruling that the entire Safe Harbor program is “invalid.” The court’s conclusion is unfortunate as developments have been moving into the right direction recently. The Judicial Redress Act HR 1428 (Sponsor: Rep. Sensenbrenner) is one example. It is currently pending in Congress. If adopted, it would grant EU citizens a right to seek judicial review according to the Privacy Act of 1974 against certain authorities. It is uncertain when this bill will finally be adopted. If the ECJ’s goal was to put pressure on the U.S. government and the EU Commission to negotiate a fair judicial access as part of a revised Safe Harbor Program, the Court would have fared much better by imposing a deadline on the Commission for the conclusion of such negotiations to ensure legal protection for EU citizens and their personal data. The United States would have been put on notice. Instead, the judges threw the baby out with the bathwater, thereby jeopardizing the ongoing negotiations of the Commission with the U.S. government.
The establishment of invalidity of the Commission’s Decision issued fifteen years ago is very unfortunate for U.S. companies with EU-wide business. The ECJ kicks the enforcement responsibility over to the national data protection authorities without giving them any guidance. If some of them “suspend” data flows and others don’t, Europe will become regulatory patchwork. Germany, for instance, has data protection authorities in each state. Lackluster enforcement practices in one region and proactive regulators in another may also infringe upon the principle of equality of enforcement and trigger more court actions. The only limit would be Section 65 of the ECJ decision, whereby these authorities have no right to challenge or overrule the ”adequacy” decisions of the Commission (Art. 25 (6) Data Protection Directive 95/46/EC). Other than this, all kinds of measures are conceivable. The European regulators and courts should not expect that the Federal Trade Commission (FTC) will now jump into action to help them to enforce the ECJ judgment in the United States. Under the Safe Harbor program now being ruled “invalid,” the FTC would at least be involved in the enforcement of the compliance, which in itself would benefit the EU consumers. Even more aggravating for U.S. companies, U.S. courts and U.S. authorities could classify the restrictions on international data transfers by the ECJ and EU law as “blocking statutes.” In U.S. court, these restrictions would then be irrelevant. The companies affected by it would then be left between a rock and a hard place. Either they comply with a U.S. subpoena or a U.S. court order, or they run into problems with the European authorities.
To sum up, the new ECJ decision is part of a disturbing trend of the ECJ trying to enforce the EU data protection worldwide. In this respect, the judgment is in line with the recently issued ECJ decision dated 01/10/15 (C-230/14 – “Weltimmo”), in which the ECJ ruled that a presence of a single representative in a country may be sufficient to trigger European data protection jurisdiction. Whether this crusade actually serves the competitiveness of European businesses is anyone’s guess. Investments and innovations may not happen because of the uncertain legal environment in this sector. Alternatively, if the ECJ judgment doesn’t trigger drastic enforcement actions by European authorities in the EU, the big waves the judgment has created will soon fade away and undermine the credibility of the EU data protection rules as a whole. Realistically speaking, at least in the short term, the bulk of EU consumers will continue to use the services of many U.S. companies. They prefer their products and won’t see a lot of changes or service disruptions.
Dr. Axel Spies, Morgan Lewis & Bockius, Washington, DC. Dr. Spies is the author of AICGS Issue Brief 46: German/U.S. Data Transfers: Crucial for Both Economies, Difficult to Regain Trust and A Reasonable Expectation of Privacy? Data Protection in the United States and Germany.