In early October, 4,200 companies that have been certified under the U.S. Safe Harbor Framework as having developed processes and procedures to protect the private information of EU citizens were told that their certifications were invalid. Privacy experts have been scrambling to give them advice on next steps, which include utilization of model contractual clauses relating to individual data transfers, or implementation of binding corporate rules requiring the approval of an EU Data Protection Authority, which can take up to a year to accomplish. Whether these actions will also be considered invalid along with the Safe Harbor framework is not clear. However, since both allow for an individual’s ability to question a company’s compliance with the EU privacy directive, it is more likely that they would be considered adequate.
The potential paralysis of commerce is ostensibly the result of Snowden’s revelations of the NSA’s ease of access to information culled by U.S. companies. On October 6, the European Court of Justice ruled that Decision 2000/520 of the European Commission, which stated that Safe Harbor-certified U.S. companies provide adequate protection for personal data transferred to them from outside of the EU (the Safe Harbor Adequacy Decision), is invalid (Case C-362/14, Maximillian Schrems v. [Irish] Data Protection Commissioner). The following findings were the basis of the decision:
- No general privacy law or other measures enacted in the United States shows the country offers “an adequate level of protection” for personal data relating to European data subjects
- Public law enforcement authorities that obtain personal data from organizations in Safe Harbor are not obliged to follow the Safe Harbor rules after disclosure
- Some American law enforcement agencies can gain access to personal data in Safe Harbor without having a law that delineates level of access
- The European Commission knew all the above and knew that personal data were possibly being used by law enforcement for incompatible and disproportionate purposes
The court made it clear that an EU citizen has a right to bring action against a U.S. company if he or she believes that their privacy is being jeopardized, regardless of Safe Harbor certification.
The test case here involved Facebook, which, like Google, has a business model that is based on monetizing the data it tracks about its users. This is a different from companies that store customer data, such as addresses and dates of birth, needed to transact business with individuals located in the EU. There are 4,200 companies impacted by the court’s ruling, and they are not all collecting the same type of data and using it for the same purpose. NSA’s interest in Google and Facebook’s complex and unique user information, such as personal relationships and Web searches conducted, simply does not extend to the transactional information gathered by most U.S. companies doing business in Europe.
What is the real effect of the decision? Does the EU court think that the NSA will be influenced by its action? Does the EU think that American companies can change the country’s security policy in light of perceived terrorist or other national threats to the United States (i.e., will the EU really control U.S. efforts in the war on terror)? Are the EU’s members’ security efforts really less than those of the United States; or, to the point, is the EU ready to ensure the same restrictions in its own security efforts? Is the EU ready to defend its posture that it can spy on its own citizens, and American citizens’ data housed in Europe, but the United States cannot? And how do country-backed hacks resulting in massive loss of private information factor into these equations?
Probably the most telling quote on the ECJ opinion is by Alexander Dix, privacy commissioner for Berlin: “One possible effect will be that European cloud providers will be better positioned to offer and sell their services in competition to the U.S. service providers.” Many companies may decide to take the least resistant path and leave EU citizens’ data in Europe, giving European cloud providers a distinct business advantage. Will this outcome provide enough incentive to get the United States to bend to the EU’s demand that it pass encompassing privacy laws on the federal level?
While American companies can no longer rely on Safe Harbor to exempt them from compliance with EU privacy laws, if they believe they could show that they provide the same level of protection of EU citizens’ PII as that provided by EU companies, they do not need to be overly concerned while we wait to see what happens in the weeks ahead.
“The national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive.”
—Judgment in Case C-362/14, Maximillian Schrems v. Data Protection Commissioner
The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.