By Daniel J. Solove
In a profound ruling with enormous implications,the European Court of Justice (ECJ) has declared the Safe Harbor Arrangement to be invalid.
The Safe Harbor Arrangement
The Safe Harbor Arrangement has been in place since 2000, and it is a central means by which data about EU citizens can be transferred to companies in the US. Under the EU Data Protection Directive, data can only be transferred to countries with an “adequate level of protection” of personal data. The EU has not deemed the US to provide an adequate level of protection, so Safe Harbor was created as a work around.
In the late 1990s, when the EU Data Protection Directive came into effect, the main concerns with the US approach to privacy was that it was too focused on self-regulation and had many gaps in protection due to the fragmented nature of US privacy law.
The US Department of Commerce and the EU Commission negotiated the Safe Harbor Arrangement to ensure that personal data could continue to flow between the US and EU. Companies in the US can voluntarily adhere to a set of principles in the Safe Harbor Arrangement, to be enforced by the FTC. If companies adhere to these Safe Harbor principles, then they are deemed to meet the EU Directive’s “adequacy” standard, and data about EU citizens may be transferred to them.
The Safe Harbor arrangement was long viewed with great skepticism in the EU. The European Parliament initially rejected the Safe Harbor Arrangement in a nonbinding vote, but the EU Commission approved it.
There are seven Safe Harbor principles:
- Notice. Companies must provide adequate notice of their practices regarding personal data collection, use, and disclosure.
- Choice. People have a right to opt out of certain data uses. If sensitive data is involved, people must opt in.
- Onward Transfers . Transfer to third parties is permitted only if there will be adequate protection by the third parties.
- Security. Personal data must be protected with “reasonable precautions”
- Data Integrity. Personal information must be relevant for purposes for which it is to be used. It must be reliable for intended use, accurate, complete and current.
- Access. People must have a right to access their data and to correct errors.
- Enforcement. There must be independent enforcement of violations — with penalties.
The Schrems Case
Max Schrems is an Austrian citizen who sued Facebook in Ireland because Facebook’s EU headquarters are in Ireland. Schrems argued that his privacy rights were being violated by the NSA’s surveillance programs. He argued that Facebook transferred his data to servers inside the US, and that the law of the US fails to provide adequate protection against law enforcement surveillance, especially that by the NSA.
Ireland’s Data Protection Commissioner refused to investigate his case because the Safe Harbor Arrangement resolves that there is an adequate level of protection when data is transferred to US companies under the Arrangement. Schrems appealed, and High Court of Ireland asked the European Court of Justice (ECJ) to determine whether countries are restricted from investigating complaints about the adequacy of protection in cases involving data transfer to the US.
In Maximillian Schrems v. Data Protection Commissioner, Case C-362/14, the ECJ held that each country has the right to determine for itself whether there is an adequate level of protection and thus whether data about their citizens can be transferred:
80. In the light of the essential role which they play with regard to the protection of personal data, the national supervisory authorities must be able to investigate where they receive a complaint alleging matters that could call into question the level of protection ensured by a third country, including where the Commission has found, in a decision adopted on the basis of Article 25(6) of Directive 95/46, that the third country concerned ensures an adequate level of protection.
81. If, on completion of its investigations, a national supervisory authority considers that the contested transfer of data undermines the protection which citizens of the Union must enjoy with regard to the processing of their data, it has the power to suspend the transfer of data in question, irrespective of the general assessment made by the Commission in its decision.
Beyond this holding that a country has the power to disregard Safe Harbor and make its independent adequacy findings, the ECJ declared Safe Harbor to be invalid. The main reason for the invalidity of Safe Harbor is the failure of US law to provide adequate limitations and redress from government surveillance, especially NSA surveillance. In particular, the ECJ was troubled by the fact the NSA could engage in massive surveillance and that US courts had failed to provide a way for people to challenge that surveillance. In ACLU v. Clapper (2d. Cir. May 7, 2015), the U.S. Supreme Court held that plaintiffs’ legitimate concerns about being subjected to NSA surveillance — and even taking countermeasures to protect themselves — were insufficient to establish a concrete harm. Thus, the plaintiffs lacked standing to challenge the surveillance, and their case was dismissed.
In its opinion, the ECJ stated that “the law and practice of the United States allow the large-scale collection of the personal data of citizens of the Union which is transferred under the safe harbour scheme, without those citizens benefiting from effective judicial protection.” The ECJ noted that the FTC lacks the power to stop these widespread surveillance powers by the NSA and intelligence agencies. Thus, the court concludes the “access enjoyed by the United States intelligence services to the transferred data therefore also constitutes an interference with the fundamental right to protection of personal data guaranteed in Article 8 of the Charter.”
Essentially, the ECJ held that because the NSA’s surveillance is virtually unstoppable, the Safe Habor cannot guarantee an adequate level of protection.
1. About 4500 companies use the Safe Harbor Arrangement. They will now be scrambling to adjust to a world without it. The ECJ decision is akin to pulling the rug out from under them. There are other means of transferring data beyond the Safe Harbor Arrangement — Binding Corporate Rules (BCRs), model contractual clauses, as well as obtaining people’s consent to transfer their data. Regarding consent, the EU approach to consent is much stricter than that in the US. Under the EU Data Protection Directive, consent must be “explicit” and “freely given” — in the US, consent can be implied, much more vague, and subject to a substantial amount of coercion (consent can be valid even if people are under the threat of being fired if they don’t consent).
2.The EU is likely to pass legislation soon that will supplant the EU Data Protection Directive and require more stringent protections of personal data. The need to renegotiate Safe Habor was on the horizon given this impending new development. Now, the EU will have a stronger negotiating posture. The US can no longer use the existing Safe Harbor as a starting point and argue for some small tweaks. Safe Harbor has sunk. Now the US must start from the position that Safe Harbor is not adequate, which is much further away from where the US wants to be starting from.
3. The costs of NSA surveillance keep mounting. How much will we make businesses have to pay to provide overzealous intelligence agencies and law enforcement with overbroad powers and end runs around reasonable legal protections? Yes, more power makes their jobs easier because they don’t have to bother complying with traditional legal protections, and perhaps makes them feel more empowered and sleep easier at night. But it is very costly. Is it really worth it?
4. The sinking of Safe Harbor is due in part to the cavalier attitude of the US surveillance agencies such as the NSA and the U.S. Supreme Court in Clapper. The EU is very concerned with maintaining — at least in the rhetoric of the law — that privacy is a fundamental right that shouldn’t be compromised. The US likes to state all of its compromises and practical exceptions in its law, and it thus appears much less pure. The EU deals with its compromises behind the scenes — much more quietly and less overt than the US. EU countries also engage in widespread surveillance — which is not restricted by the EU Data Protection Directive — so there is some hypocrisy here. But the overt and brash attitude of the NSA (and the US law enforcement and national security agencies more generally) rubs the EU the wrong way. So does the Supreme Court in Clapper. To the EU, the US rhetoric is one of accepting the widespread power of government surveillance without much recourse to judicial challenges — an arrogance of power. It is that arrogance — and the rather anemic response that all branches of government have taken to the NSA surveillance — that most offends the EU in my opinion.
5. Early EU concerns with Safe Harbor involved the staunch embrace of self-regulation in the US. The attitude that made the EU bristle was that companies knew better than regulators, and that the EU should stop impeding the innovation of US tech companies. Now, things are quite different. Many companies have internal policies and practices built to comply with EU law; the US law of privacy has strengthened in many areas; and the debate has shifted to the poor protections on US government access to personal data. Companies are more aligned with the EU on this front. Consider the Microsoft case (I blogged about it recently here), where Microsoft is opposing the US’s attempt to gather information on servers in Ireland. US companies have no love for the NSA or the weak legal protections against government data gathering — it erodes the trust companies are building with consumers. With the Schrems case, companies are now stuck in the middle and will suffer substantially because they don’t have much control or way to stop the NSA. But maybe Schrems might give them the leverage and incentive to convince policymakers to better regulate government surveillance.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.