EC To Step Up Talks With US as EU High Court Kills Safe Harbor
The European Commission vowed to ratchet up privacy talks with the U.S. following Tuesday's rejection by Europe's highest court of the EU-U.S. safe harbor agreement for transfer of personal data. The European Court of Justice (ECJ) ruled safe harbor invalid and ordered the Irish data protection authority to determine whether Facebook's transfer of European subscribers' data to servers in the U.S. should be suspended on the ground that U.S. privacy protections are inadequate. The decision confirms the EC's approach in its negotiations for a new agreement, EC Vice-President Frans Timmermans said at a news conference.
Privacy advocates and industry representatives differed over how damaging the ruling might be to trans-Atlantic data flows, with U.S. officials from both political parties criticizing the ruling. The decision, as many expected (see 1510050045), followed the Sept. 23 advisory opinion of the court's advocate general (see 1509230001). Facebook has done nothing wrong, a spokeswoman told us.
The judgment is an "important step" toward upholding Europeans' basic right to data protection, Timmermans said. He said he views the ECJ decision as confirmation of the commission's approach in its negotiations with U.S. authorities for a new system. Data transfers can continue using other mechanisms available under EU law, he said. The EC will set out "clear guidance" to national authorities on how to deal with transfers in light of the ruling, which should help avoid a patchwork of rules, he said.
In 2013, the EC made 13 recommendations to the U.S. about how to make safe harbor safer, Justice, Consumers and Gender Equality Commissioner Vera Jourova said at the news conference. The EC has been working hard with its American counterparts to revise the agreement and now intends to step up those discussions, she said. She outlined various other means for sending personal data to the U.S., and said the EC will put relevant information and contact points on its website to assist companies and work with the Article 29 Working Party of national regulators on a coordinated approach. The EC remains "fully committed" to data transfers across the Atlantic while ensuring privacy rights, Jourova said. She wouldn't predict a timeline for concluding the negotiations.
Schrems v. Data Protection Commissioner arose in 2013 when Max Schrems asked Ireland's privacy chief to investigate Facebook Ireland's decision to store European subscribers' personal data on servers in the U.S. The data protection commissioner rejected the complaint as unfounded, citing the EC's decision, in the safe harbor agreement, that U.S. privacy levels were adequate. On appeal, the Irish High Court asked the ECJ to clarify whether the data protection commissioner was bound by the EC's decision or could probe the charges. Tuesday, the ECJ said the existence of an EC decision that a non-EU country has adequate data protection levels doesn't affect the power of national authorities to ensure privacy rights are respected. But it said only the ECJ itself can decide whether an EC decision itself is valid.
Safe harbor only applies to U.S. companies that have signed it and doesn't bind U.S. public authorities, the court said. U.S. national security, public interest and law enforcement requirements trump the plan, requiring American companies to disregard the rules when they conflict with those requirements, it said. The U.S.'s generalized access to Europeans' electronic communications compromises the essence of the right to respect for private life; and the absence of laws giving Europeans access to data about them, or for correction or erasure of that information, jeopardizes the right to effective judicial protection, it said.
The advocate general who recommended the ECJ decision has said it's not about Facebook, the company's spokeswoman told us. “What is at issue is one of the mechanisms that European law provides to enable essential trans-Atlantic data flows,” she said. “Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the U.S. from Europe, aside from Safe Harbor,” she emailed. “It is imperative that EU and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security."
Panned in U.S.
On Capitol Hill and from the administration and U.S. industry, the response was negative.
Sen. Orrin Hatch, R-Utah, called the ruling disappointing, saying that without the agreement “the global economy will be deprived of the benefits of data services.” Senate Communications Subcommittee ranking member Brian Schatz, D-Hawaii, said in a news release that the ruling is the “digital equivalent of grounding all planes and stopping all shipping from Europe to the U.S. overnight.” Commerce Department Secretary Penny Pritzker and FTC Chairwoman Edith Ramirez must work urgently with their European counterparts to “rapidly issue clear guidance on data transfers,” Schatz said.
Since 2000, the agreement “has proven to be critical to protecting privacy on both sides of the Atlantic” and this ruling “creates significant uncertainty” that puts the “thriving transatlantic digital economy” at risk, Pritzker said in a statement. In the past two years, the Commerce Department has worked with the EC to strengthen the U.S.-EU safe harbor framework with robust and transparent protection, Pritzker said.
The FTC is reviewing the opinion and “evaluating its implications,” Ramirez said. The agency shares the “commitment of our EU counterparts to protect consumers’ personal information and privacy,” and will continue to work together to “develop effective solutions that protect consumer privacy with respect to cross-border data transfers," Ramirez said.
Senate Commerce Committee Chairman John Thune, R-S.D., said in a statement that the decision “harms consumers who benefit from trans-Atlantic data flows” and encouraged the Commerce Department to “conclude negotiations on a new agreement” that allows for the free flow of data. Thune said it's “imperative” businesses be given clear guidance on how to continue operations. “Internet companies have mechanisms in place to effectuate data transfers beyond the Safe Harbor, but smaller companies and consumers both in the EU as well as in the U.S. could experience significant challenges,” Internet Association CEO Michael Beckerman said in a news release. The Information Technology Industry Council, the Computer & Communications Industry Association and the Direct Marketing Association raised similar concerns.
Impact Debated
The decision "is a major blow for US global surveillance that heavily relies on private partners," Schrems, the Austrian attorney who brought the case, said in an initial statement. But contrary to some "alarmist responses," the decision applies only to a limited number of situations, he said. There are alternative options for transferring data from Europe to the U.S., and "despite some alarmist comments I don't think that we will see major disruptions in practice," he wrote. The judgment applies to a limited set of situations, such as outsourcing of EU data processing operation to U.S. providers, he said. "Those doomsayers pretending this judgment will cut off any data transaction across the Atlantic deliberately exaggerate the consequences," European Consumer Organisation Director General Monique Goyens said. If Facebook, Google and others want to continue sending Europeans' personal data to the U.S., "they will just have to guarantee an adequate level of protection in line with EU rules," she added.
But several industry observers read the decision differently. It's "remarkable," though correct at first sight from a legal standpoint, in finding that the EC can't eliminate the power of national data protection authorities to examine with complete independence whether data transfers are legally compliant, Linklaters privacy attorney Tanguy Van Overstraeten said in an interview. But that finding is also "unfortunate" in that, now that safe harbor has been declared invalid, the decision could create a patchwork of different legal positions among the regulators in each EU country, he said. If the Article 29 Working Party doesn't take the lead and find a common position, it may become a "real nightmare" for companies to comply, he said. The ruling is "extremely bad news for EU-US trade," Linklaters technology, media and telecom attorney Richard Cumbley said in a statement: "Without safe harbor, thousands of U.S. businesses that rely on the agreement "will be scrambling to put replacement measures in place."
The ECJ didn't complain about how businesses apply safe harbor, but about how the U.S. gives public authorities too broad an access to the data and doesn't grant right of redress for Europeans whose data is wrongfully accessed, Van Overstraeten said. He is optimistic EU-U.S. talks can counter these criticisms but said because national privacy agencies will still have the right to independently review data transfers, any upcoming EC decision approving a "safe harbor 2.0" could still be challenged.
It's surprising that the decision seems to hinge upon the state of the law as of 2013, Baker & McKenzie (Chicago) technology and communications attorney Brian Hengesbaugh said in an interview. The ECJ disregarded changes since then in U.S. law, parallel trans-Atlantic talks on the "umbrella agreement" on data protection in law enforcement activities and the ongoing safe harbor negotiations, he said. The court's belief there is still mass surveillance is "so far off from reality in the law," he said.
Hengesbaugh predicted data flows will continue because of the interdependence between the U.S. and EU, but said there's no one-size-fits-all answer on what mechanisms companies should use. He also predicted the hodge-podge of different approaches will provide a lower level of privacy protection. Hengesbaugh criticized the EC for failing to appreciate the value safe harbor brings to the commercial arena and for trying to wring more concessions on national security from the U.S. government.
The judgment will affect the business of American over-the-top players in Europe, wrote Innocenzo Genna, who advises smaller telcos, on his blog. Because there are no guarantees or limitations on U.S. access to personal data, the OTTs could be forced to store data in Europe and to build separate data centers and processing activities in the two areas. "It will be a kind of structural separation for personal data" that for some U.S. players will be a disaster because they won't be able to compare and profile information for advertising and marketing, Genna wrote.
The ECJ decision "finally backs up the repeated calls from the European Parliament" for suspension of safe harbor, said European Parliament Civil Liberties Committee Chairman Claude Moraes, of the Socialists and Democrats and U.K. After the EC briefing, Moraes criticized its response as "disappointing," saying it lacked "any real concrete update" on what it intends to do about replacing the framework and didn't say when talks with the U.S. would conclude. Member of the European Parliament Jan Philipp Albrecht, of the Greens/European Free Alliance and Germany, author of the legislative report on reform of EU data protection rules, urged the EC and Irish data protection authority to "immediately" stop further data transfers to the U.S. under safe harbor.
Advocates Applaud
The ruling "should spur governments on both sides of the Atlantic to ratchet up long-overdue reform efforts," because it will likely adversely affect U.S. and EU companies' operations, Center for Democracy & Technology European Affairs Director Jens-Henrik Jeppesen said in a news release. "Congress should act quickly to provide greater privacy protections to everyone caught up in the U.S. mass surveillance dragnet, and help restore confidence in U.S. tech companies,” starting with reforming Section 702 of the Foreign Intelligence Surveillance Act (FISA), Jeppesen said. Hatch agreed that passing the Judicial Redress Act is now more critical than ever. Schatz didn’t specifically name any bills, but said Congress must pass legislation that ensures a “proper balance between privacy, civil liberties, and national security.”
Though the ruling largely affects smaller and medium-sized companies that don’t have alternative mechanisms in place to safely transfer data, privacy advocates largely applauded the court’s ruling to value privacy over profit. The Internet should be a “secure and private space where people can start businesses, research confidential topics or just chat with friends without the fear of being subjected to unwarranted government snooping,” the World Wide Web Foundation said in a statement. Former NSA contractor Edward Snowden, whose revelations of NSA’s mass surveillance activities were cited as reason the agreement should be rendered invalid, tweeted his support for Schrems Tuesday, saying Schrems has “changed the world for the better.”
“There's only one way forward to end this battle in a way that keeps the Internet open and preserves everyone's privacy,” Electronic Frontier Foundation International Director Danny O’Brien wrote in a blog post Tuesday. “Countries have to make clear that mass surveillance of innocent citizens is a violation of human rights law,” which for the U.S. means reforming Section 702 of FISA and executive order 12333, O’Brien said. The U.S. can’t assure the EU data will be adequately stored or used when there is an absence of data protection legislation and rules, the Transatlantic Consumer Dialogue, which is made up of EU and U.S. consumer organizations, said in a news release. The group called for the U.S. to ratify the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), which forms a ready basis for such a framework.
The case is about more than mass surveillance, European Digital Rights Executive Director Joe McNamee said in a statement. Even before Snowden's revelations, EC reports and independent research showed the entire framework was inadequate, he said. Businesses using safe harbor could have done more than hope a case would never be brought to court, or "pluck absurd numbers out of thin air as to the cost of abandoning this unsustainable agreement," but they didn't, McNamee said.