In October, the Court of Justice of the European Union (CJEU) invalidated a European Commission ruling from 2000 and held that the “Safe Harbor Privacy Principles” were insufficient in providing Europeans their privacy rights under EU law.
Leading up to this decision, the “Safe Harbor Privacy Principles” had been exploited to transfer Europeans’ personal data to the United States. The CJEU ruled that the principles did not “sufficiently guarantee the protection” of Europeans’ personal data and, as a result, exposed them to what the court held as indiscriminate surveillance by the U.S. government.
The ruling by the CJEU has been met with mixed opinions. Edward Snowden, the NSA whistleblower, hailed the ruling as a victory for “digital rights” and that “we are all safer as a result.” However, United States Commerce Secretary Penny Pritzker remarked that the decision “undermines all businesses.”
Safe Harbor Agreement
In 1998 the European Union implemented the Data Protection Directive (DPD). The DPD regulates the processing and transfer of data within the EU. This means that the transfer of personal data on an EU individual to a third country may only occur if an adequate level of protection is afforded to that individual’s data. The DPD requires that each EU member nation create or designate a public authority to monitor the application of the DPD within its territory.
The DPD requires a potentially lengthy and costly process for third party nations that engage with data from EU individuals. As a result, in 2000, Brussels and Washington signed a safe harbor agreement to enable companies and international networks to easily transfer personal data to the United States without having to seek prior approval from each independent EU state privacy regulator. The safe harbor agreement meant that enforcement could be centralized through the Federal Trade Commission instead. U.S. companies could be included in the safe harbor scheme by adhering to the following seven principles:
- Access – individuals must have access to all information held about them.
- Choice – Individuals must have the choice to ‘opt out’ in data collection and transfer.
- Data Integrity – The data collected must be relevant and reliable to the collection purpose.
- Enforcement – There must be effective privacy protections to assure compliance to these principles.
- Notice – Organizations must inform individuals about the purposes for which it collects and uses information about them.
- Onward Transfer – Organizations may only transfer data to third parties if they follow adequate data protection principles.
- Security – Reasonable precautions must be taken to protect against, loss, misuse and unauthorized access, disclosure, alteration and destruction.
It was these principles that the CJEU ruled insufficient.
European Court of Justice Ruling
In October 2015, an Austrian citizen, Maximillian Schrems, filed a complaint regarding the processing by Facebook of his personal data from Ireland to servers in the United States. His complaint was referred to the CJEU. Schrems’ complaint stated, “In the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities.”
The ECJ ruled that the US-EU Safe Harbor Principles did not provide sufficient data protection guarantees. Specifically, the Court held that not all the US organizations were required to sign up to the Safe Harbor Principles and that any organizations which did adhere were “bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with national security, public interest and law enforcement requirements.” The court was primarily concerned with the mass revelations about the NSA schemes, such as PRISM. PRISM is the NSA’s mass data surveillance and collection program which makes demands upon internet companies under Section 702 of the FISA Amendments Act of 2008.
The result of the ruling is that the public authority for each EU nation must examine every complaint with “all due diligence”. In Schrem’s case, the Irish Data Protection Commissioner must decide whether the transfer from Facebook’s Irish servers to the United States maintains adequate protections under EU law.
Consequences of the EU Ruling
The implications of the CJEU ruling are widespread. Some 4,000 businesses relied upon the US-EU safe harbor agreement and are now under threat of being investigated by the EU if they continue to transfer date from EU individuals back to the United States. Companies like Google and Facebook have been using standard contracts to ensure their data transfers from the EU to the United States comply with the EU laws. Given the recent CJEU ruling, there is growing doubt that these methods be sufficient.
In Germany, data protection agencies are not granting any new data transfers to the United States and have stated that they will start investigations into claims that may have violated the CJEU ruling. Companies wishing to store data will need to build data centers in the EU do to it. For some companies this is not likely to be a welcome option. However, others have already started to adapt their data storage strategies. Microsoft has made an arrangement with German Telecom company Deutsche Telekom to maintain their data centers in Germany.
This means that Microsoft will not need or have the ability to transfer EU customer data to the United States. The CEO of Microsoft, Satya Nadella, stated that “new data center[s] … offer customers choice and trust in how their data is handled and where it is stored.” Although Microsoft has said that this move isn’t directly related to the spying revelations made public by Snowden, they have acknowledged that customers are looking for ways to keep their information private. Microsoft’s two German data centers are due to go online at the end of 2016 and are thought to be attractive to customers who handle sensitive data such as health or financial records.
Work is underway to construct a “Safe Harbor 2.0” in light of the CJEU ruling. Human rights and privacy organizations state that any new framework will be unlikely to “provide a viable framework for future transfers of personal information” unless it “commit[s] to a comprehensive modernization of privacy and data protection laws on both sides of the Atlantic.”
Although a headache for businesses, to privacy campaigners this decision has been heralded as a welcome response by the CJEU court. Schrems, the complainant in the safe harbor ruling, held that the ruling “clarifies that mass surveillance violates…fundamental rights.” This praise by privacy organizations may be short lived. Since the attacks in Paris, some pundits have already called for more surveillance and government control over individual data and not less. What seems clear is that the direction of EU-US data collection and transfer is far from certain.