Export Compliance Daily is a Warren News publication.
FTC Figures in Ruling

EU High Court Adviser Calls for Suspension of Safe Harbor

The EU-U.S. safe harbor agreement for transfer of personal data is invalid and should be suspended, European Court of Justice (ECJ) Advocate General (AG) Yves Bot said Wednesday in an advisory opinion. The European Commission, which is scurrying to renegotiate safe harbor with U.S. officials, said it's "confident" of a "positive conclusion" soon. Industry lawyers warned that the opinion, if adopted by the ECJ, could spell trouble for American companies seeking to do business in Europe. Privacy advocates, however, said it could signal the beginning of a better data protection system. The ECJ isn't bound by its advocates' opinions but generally follows them.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

Schrems v. Data Protection Commissioner arose in 2013 when Austrian attorney Maximilian Schrems asked Ireland's privacy chief to investigate Facebook Ireland's decision to keep European subscribers' personal information on servers in the U.S. The commissioner rejected as frivolous Schrems' claim that the U.S. offered no real protection against government surveillance by the NSA and other intelligence services, saying there was no evidence that the agency had accessed the data and that under safe harbor, the U.S. was deemed to have an adequate level of personal data protection. On appeal, the Irish High Court asked the ECJ to clarify whether the data protection commissioner was absolutely bound by the EC's safe harbor decision or was free to investigate Schrems' charges. Facebook had no comment on the AG opinion.

Bot urged the court to rule that the safe harbor decision doesn't stop national privacy authorities from investigating complaints and barring Facebook from sending European subscribers' data to its servers in the U.S. While an EC decision "does, admittedly, play an important role in ensuring uniformity in the transfer conditions applicable" in EU countries, that uniformity "can continue only while that finding is not called in question," he wrote. Schrems' complaint was intended to put safe harbor directly at issue, he said.

Determination of the level of data protection provided by a non-EU country must focus on the content of the applicable rules and the means of ensuring compliance with them, Bot said. Safe harbor, which is mostly based on self-certification and self-assessment by organizations that participate in it voluntarily, must be accompanied by adequate guarantees and a sufficient control mechanism, he said. But the U.S. allows massive collection of European personal data transferred under the agreement without giving people effective judicial protection, rendering the guarantees inadequate, he said.

"That decision [safe harbor] and the way in which it is applied entail a wide-ranging and particularly serious interference with those fundamental rights," without any assurances that that interference is limited to what is strictly necessary, the opinion said. Safe harbor "must be declared invalid" and the EC should have suspended it, Bot wrote.

FTC

The U.S Federal Trade Commission also figured in the decision.

That agency oversees and verifies compliance with safe harbor principles under authority granted to the agency by Section 5 of the FTC Act, but the commission’s power is “limited to commercial disputes,” the opinion said. “The FTC’s jurisdiction covers unfair or deceptive acts and practices in commerce and therefore does not extend to the collection and use of personal information for non-commercial purposes,” the opinion said. “The FTC was established not, as is the case within the European Union of the national supervisory authorities, to ensure the protection of the individual right to privacy, but to ensure fair and trustworthy commerce for consumers, which limits de facto its capacity to intervene in the sphere of personal data protection,” it said. “Neither the FTC nor the private dispute resolution bodies therefore have the power to monitor possible breaches of principles for the protection of personal data by public actors such as the United States security agencies,” which is an “essential” power needed to “guarantee in full the right to effective protection of that data,” the opinion said. The FTC had no immediate comment.

The EC said it doesn't comment on the substance of pending cases. However, a spokesman told us, the EC made 13 recommendations in 2013 on how to revamp safe harbor as part of its overall strategy to restore trust in trans-Atlantic data flows, and launched intense talks with the U.S. in January 2014. Since then, he said, the EC "has been working tirelessly" with the U.S. on the final details of a deal and is confident it can reach a positive conclusion soon. The AG's "welcome finding" must "provoke an immediate response by the relevant authorities," said Member of the European Parliament Jan Philipp Albrecht, of the Group of the Greens/European Free Alliance and Germany, who drafted the legislative response to EC plans for reform of data protection rules.

The U.K. Information Commissioner's Office and organizations that may be affected must await the high court judgment, an ICO spokeswoman emailed. That the AG clearly stressed the importance of adequate and meaningful safeguards for personal data, even when it's transferred outside the EU, as well as the essential role of independent data protection authorities in ensuring that, is "notable," she said.

There are over 4,400 U.S. companies with active safe harbor certification, including nearly all major IT companies, Schrems wrote in an "initial review" on his "Facebook versus Ireland" website. If the ECJ follows Bot's opinion, those businesses will have to find another legal way to shift personal data to the U.S., he said. But without safe harbor, the privacy authorities in all 28 EU nations will likely bar data transfers to U.S. companies that are subject to mass surveillance, he said. He warned against predicting the "end of the internet," saying the case concerns only outsourcing of data from a European to an American enterprise if the data is shared for mass spying.

Legal Uncertainties

The decision creates uncertainty for companies in the U.S. and Europe, experts said.

That the AG openly supports the view that safe harbor should be suspended "creates uncertainty about its ongoing validity," Hogan Lovells (London) data protection attorney Eduardo Ustaran told us. The critical question is whether companies can continue to rely on the agreement as a valid mechanism to legitimize data transfers, he said. Its adequacy stands, but he said that data protection authorities "will feel more empowered than ever to suspend transfers made on this basis."

The opinion "will cause real headaches" for many U.S. businesses operating in Europe, said Linklaters privacy attorney Tanguy Van Overstraeten in a statement. If the ECJ confirms it, the decision could also have a wider impact on other EC decisions relating to international data transfers, he said. "This demonstrates that the [former NSA contractor Edward] Snowden revelations still cast a long shadow over privacy issues," said Linklaters technology, media and telecom attorney Richard Cumbley. The biggest question is whether invalidating safe harbor will really boost protections for Europeans, he said. "The answer is far from clear."

The opinion "puts the nail in the coffin" of safe harbor," European Consumer Organisation Senior Legal Officer Agustin Reyna said in a statement. It sends the EC a "clear message that the transfer of European citizens' data cannot be based on self-assessment by US companies." European Digital Rights Executive Director Joe McNamee slammed the EC for its "refusal to accept the ever-growing mountain of evidence" of the agreement's inadequacy.

U.S. privacy advocates weren't surprised the safe harbor agreement was deemed invalid. They “know that the so-called Safe Harbor deal hasn’t made EU citizens safe from having their information scooped up by our NSA and our digital giants -- such as Facebook,” Center for Digital Democracy Executive Director Jeff Chester told us. He called the safe harbor agreement a “fraud played upon the EU public,” and pointed to Bot’s opinion as another reason why the U.S. “must enact its own privacy law, with effective enforcement that mirrors the EU.” If the U.S. fails to do so, U.S. digital businesses “will find themselves either shut out of key markets or viewed as not trustworthy,” he said.

Long term, challenges must be overcome for safe harbor to continue to be a valid method for transfers, Ustaran emailed. The EC and U.S. must agree on the next version before the ECJ makes its final decision, he said; if it doesn't, the court's previous stance on these issues suggests it could be prepared to follow the AG's advice. Safe harbor must differ significantly from the current model in the way it deals with national security and law enforcement exemptions to satisfy EU proportionality rules. And the next incarnation must be robust enough from the perspective of the national data protection authorities, he said. Safe harbor isn't dead yet, but "it is only prudent to consider other alternatives" to ensure that transatlantic data flows remain lawful, he added.