Two weeks ago, the European Court of Justice (CJEU) ruled that the 15-year agreement between the European Union and the US Department of Commerce could no longer be relied upon as protection for personal data being transferred between Europe and the US.
EU countries already have some of the strictest data protection laws in the world and generally prohibit the transfer of personal data by companies based in EU member states to the US. This is because the US fails to meet the EU “adequacy” standard for privacy protection, with no comprehensive federal regime for data privacy and sporadic state protection in place.
Under the agreement between the US and the EU Commission reached in 2000, a “safe harbor” is permitted where the US recipient of data can certify to the US Department of Commerce that it meets the privacy requirements set up under the US-EU Safe Harbor Framework. But in light of recently disclosed privacy threats such as the US National Security Agency’s surveillance program, the European Commission had proposed several changes to the US-EU Safe Harbor program, including:
- That it become more transparent;
- It be revised to contain an alternative dispute resolution procedure;
- Compliance with the program must be more actively enforced and audited by the US Department of Commerce; and
- US authorities must make clearer the circumstances under which they will gain access to EU personal data processed by a Safe Harbor self-certified company.
Discussions on the inadequacy of the program had been ongoing for some time before a case brought by an Austrian law student reached the highest court in Europe, which has ultimate jurisdiction over the interpretation of laws governing EU member states and those citizens and businesses living and operating within the EU. The European Parliament had already called for suspension of the agreement more than a year ago. However, progress had been slow, due in part because the US failed to provide the assurances and take the action required to satisfy EU authorities.
The Schrems Case
Inspired by Edward Snowden’s revelations of the extent of the US government’s surveillance of personal data in the US and elsewhere, Austrian law student Max Schrems complained to the Irish Data Protection Commissioner (DPC) in 2013 about the way his personal data was being processed by Facebook, which has its European headquarters in Dublin. The DPC rejected the complaint on the basis that the transfer of data by Facebook Ireland to the US were covered by the Safe Harbor Framework. Schrems then sought a judicial review of the DPC’s decision not to investigate his complaint.
The CJEU ruled the safe harbor rules were inadequate as they did not prohibit the US government authorities from inspecting the data, and therefore ordered the DPC to investigate the complaint.
The CJEU ruling has significant implications for EU-US trade, with approximately 4,500 businesses having certified as complying with the Safe Harbor principles. This will certainly speed up the negotiations over the steps that need to be taken to protect the rights of EU citizens.
But in the meantime, where does this leave businesses that routinely in the course of business transfer personal data between the two continents?
According to EU Commissioner Věra Jourová, there are two ways in which companies may protect data to the level of the EU law and these involve the use of standard data protection clauses in contractsbetween companies; or binding corporate rules within a multinational corporate group. In the absence of other grounds for transfer, data can still be sent out of the EU with the free and informed consent of the individual, Jourová said.
The European Commission is urgently preparing guidance on a uniform approach by data protection commissioners in each member state. “As businesses need legal certainty, the guidance should help avoid a patchwork of conflicting decisions by DPAs,” said First Vice President Frans Timmermans.
At the same time, the EU Commission is working on an umbrella agreement with the US government to determine the level of access to personal data of EU citizens that law enforcement agencies in the US will be entitled to, as well as provide EU citizens with rights of redress in the event of a breach of their privacy rights.
Whatever the outcome of current negotiations, it is clear that transatlantic trade will continue and that the current storm will blow over, but both sides will need to speed up their discussions if normal business is to be resumed to everyone’s satisfaction.