[Digest Note] The Court of Justice of the European Union Finds the Harbor No Longer Safe
By Ann Kristin Glenster - Edited by David Nathaniel Tan
On October 6, 2015, the Court of Justice of the European Union (“CJEU”) delivered another landmark ruling concerning the handling of personal data by U.S. companies in Europe.Responding to a request from the Irish High Court, the CJEU held that the Safe Harbor Agreement (the “Agreement”), under which companies like Facebook were able to legally transmit personal data from their European subscribers to the U.S., was invalid. This article will give a brief overview of the Agreement and the case, and explore some of the salient issues to which the European Court took umbrage. Finally, it will attempt to sketch out some possible consequences of the ruling, and the options that now face E.U. and U.S. legislators.
According to the CJEU, the Safe Harbor Principles did not provide adequate safeguards as required by the Data Protection Directive (95/46/EC) (the “Directive”). The decision has led to a flurry of activity on both shores of the Atlantic. On November 3, barely a month after the judgement was announced, it was the hot topic of debate at a House Communications Subcommittee of Commerce, Manufacturing and Trade meeting. Microsoft, Apple and Oracle, among others, urged U.S. legislators to take swift action as “trillions of dollars in global GDP were at stake.”
The CJEU decision has left U.S companies in a quandary as to how they may demonstrate their compliance with European law in handling foreign customer data, as they wait for rescue by Safe Harbor 2.0. But so far, signals are weak that a new Safe Harbor Agreement can provide the much sought-after shelter for personal data making the journey across the Atlantic.
The Safe Harbor Agreement
The Safe Harbor Agreement was issued as an Executive Decision by the European Commission in order to facilitate the cross-border flow of personal data from the United States. In the words of the European Commission: “transfer of personal data are an important and necessary element of the transatlantic relationship. They form an integral part of commercial exchanges across the Atlantic including for new growing digital businesses, such as social media or cloud computing, with large amounts of data going from the European Union to the United States.”In order to benefit from the scheme, a U.S. company planning to transfer personal data from the E.U. to the U.S. must self-certify with the U.S. government that it will protect that data in accordance with the standards of the Agreement. However, Recital 57 of the Directive prohibits the transfer of personal data to a third country, i.e. a non-EU jurisdiction, unless the transfer is performed in accordance with the requirements in either Article 25 or 26 of the Directive. The Safe Harbor Agreement was designed to enable the cross-border transfer of personal data by meeting these requirements.
Greatly simplified, the constitutional architecture of the European Union is founded on the EU Treaties followed by regulations and directives, the last must be incorporated nationally, usually by a domestic statute, in order to take effect in the Member States. National courts decide actual cases, but may refer questions pertaining to the interpretation of E.U. law in a specific instance to the CJEU. The CJEU issues judgments on how the law should be applied although it is for the national court to decide the individual case.
The locus of European data protection is the Directive,effectuated through separate domestic laws enacted by the Member States, and overseen by national Data Protection Authorities. In June 2013, the Austrian national Max Schrems submitted a complaint to the Irish Data Protection Commissioner against Facebook alleging that the social media platform illegally passed European personal data to U.S. law enforcement agencies as part of the PRISM program.Schrems’ case was filed with the Irish Data Protection Commissioner because Facebook’s European presence is established in Ireland. As CNN has reported, several U.S. companies have chosen to incorporate in Ireland because of its business-friendly tax regime. Ireland is also known for its comparatively relaxed implementation of the Directive, imposing less stringent conditions on U.S. companies such as Facebook. Schrems and his activist group Europe v. Facebook have previously launched campaigns against the Irish Data Commissioner for his failure of robust oversight of Facebook’s transatlantic operations.However, the Commissioner held that hewas under no duty to investigate Facebook Ireland as the company had voluntarily self-certified as compliant with European law under the Safe Harbour Agreement.
Schrems filed for judicial review of the Data Protection Commissioner’s decision with the Irish High Court.It should be emphasized that although the Irish High Court found it likely that Facebook was making European personal data available to the U.S. authorities, the social media platform was not a defendant in the case. Instead, the issue for the High Court was whether the Irish Data Protection Commissioner could decline to investigate an alleged violation of the Safe Harbor Agreement. In order to make that determination, the High Court requested a preliminary ruling under Article 267 TFEU on the interpretation of the Safe Harbor Principles in light of Articles 25(6) and 28 of the Data Protection Directive and Articles 7, 8, and 47 of the Charter of Fundamental Rights of the European Union (the “E.U. Charter”). However, the CJEU chose to take the request one step further by noting that although Schrems had not explicitly questioned the validity of the Safe Harbor Agreement,his claim justified the CJEUs examination of the Principles’ legality in their entirety.
In short, the CJEU held that the Safe Harbor Principles had to provide “essentially equivalent” protection as that in the Directive and the E.U. Charter. This is a very high threshold as data protection in the E.U. is far more encompassing than U.S. privacy law. With that in mind, the CJEU focused on two aspects: first, it found that the Safe Harbor Principles did not meet the standard of adequate safeguards for the protection of personal data in Article 25 of the Directive because the derogation in Annex II of the Executive Decision based on “national security, public interest, or law enforcement requirements” was too broad.Instead, the CJEU cited that derogations and limitations had to be “strictly necessary,” and emphasized that “in particular, legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the [E.U] Charter”.
Second, despite the redress mechanism offered by the U.S. Federal Trade Commission (“FTC”) backed by federal law, the CJEU noted that European citizens still did not have sufficient access to remedies, partly because the FTC was not consumer-friendly, and partly because some constitutional privacy protections, such as the Fourth Amendment, are not available to non-citizens.In addition, the CJEU quoted the European Commissions in finding that: “moreover, the are no opportunities for either E.U. or U.S. data subjects to obtain access, rectification or erasure of data, or administrative or judicial redress with regard to collection and furthering processing of their personal data taking place under the US surveillance program.”
Having declared the Safe Harbor Agreement invalid, the CJEU referred the case back to the Irish High Court, which ordered the Irish Data Commissioner to undertake the investigation of Facebook that Schrems had initially petitioned. The outcome of this investigation has yet to be released. That noted, if there is one immediate outcome of the case, it is that time is of the essence for a new scheme or legislation to take its place. The Article 29 Data Protection Working Party, constituted by the Directive to provide advice on the interpretation of the Directive, has warned that without a new appropriate scheme or agreement for the cross-border transfer of personal data by the end of January 2016, the national data protection agencies across the E.U. will take “all necessary and appropriate action, including coordinated enforcement action.” In other words “transfers that are still taking place under the Safe Harbor decision after the CJEU judgment are unlawful,”
The Core Issue: Spying?
At its core, however, this decision may not be about the Safe Harbor Agreement. For years, criticisms of the Agreement’s inefficient enforcement and other structural weaknesses have been largely overlooked as courts and legislators on both continents implicitly recognized the importance of the free flow of personal data across the ‘pond’. But in the wake of the Edward Snowden revelations, which seriously undermined trust between the transatlantic partners, the tide may be turning. Indeed, the CJEU specifically took issue with the possibility that U.S. authorities could employ U.S. laws to compel U.S. companies to surrender European customer data in breach of the E.U. Charter.
Secrecy was also an issue as Advocate-General Bok elucidated: “While the Foreign Intelligence Surveillance Court which operates under the Foreign Intelligence Surveillance Act of 1978, exercises supervisory jurisdiction, proceedings before that court take place in secret and ex parte.” He continued, “apparent from the fact that decisions relating to access to personal data are taken on the basis of United States law, citizens of the [European] Union have no effective right to be heard on the question of the surveillance and interception of their data.” In his view, this amounted to a breach of the right to an effective remedy guaranteed by Article 47 of the E.U. Charter. The CJEU concurred. It is not clear - and not mentioned in the judgment - if the USA FREEDOM Act of 2015 and the Judicial Redress Act of 2015, the latter currently being considered by the U.S. Senate, will adequately address these issues.
The CJEU quoted the European Commission’s observation that all the transatlantic companies that participated in the U.S. PRISM ‘spy’ program were also Safe Harbor certified, and that “[t]his has made the Safe Harbor scheme one of the conduits through which access is given to U.S. intelligence authorities to collecting personal data initially processed in the [European Union].” From this analysis, it appears that the Safe Harbor Agreement has failed to achieve its objective of extending personal data protection for European citizens to extend to processing performed by large corporate servers firmly planted on American soil.
Two Different Legal Regimes
Part of the fundamental underlying challenge for reaching the Safe Harbor Agreement in the first place can be traced to the difference in European and U.S. understanding of privacy law. Both the European Commission and its American counterpart, the U.S. Department of Commerce, recognized that: “While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the European Union. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation.”
Yet, the difference may be deeper than a simple divergent implementation strategy. The U.S. notion of privacy rights can be traced to Samuel Warren and Louis Brandeis’ seminal 1890 Harvard Law Journal article and “the right to be let alone”.The concept evolved with William L. Prosser’s four privacy torts from 1960and in various constitutional amendments, as primarily protection from illegal intrusion or invasion of the private sphere. Indeed, a similar conceptual interpretation of privacy is found in the European Court of Human Rights’ jurisprudence on Article 8 of the European Convention of Human Rights and Fundamental Freedoms.
Yet, since the Convention was signed in 1950, a narrow view of privacy in European jurisprudence has spread across a wider field of rights that encompasses the right to informational self-determination, dignity and autonomy.For example in Perry v. United Kingdom, the European Court of Human Rights held that: “Private life is a broad term not susceptible to exhaustive definition. Aspects such as gender identification, name, sexual orientation and sexual life are important elements of the personal sphere protected by Article 8. Article 8 also protects a right to identity and personal development, and the right to establish and develop relationships with other human beings and the outside world and it may include activities of a professional or business nature.”
This broad approach has resulted in an independent legal concept of personal data protection found in the Directive and Article 8 of the E.U. Charter. The underpinning logic of personal data protection is not whether privacy has been breached, but whether the processing of the personal data adheres to the Data Protection Processing Principles (the “Principles”). The Principles first appeared in the Organisation for Economic Co-Operation and Development (“OECD”)’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980 and the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108”)in 1981.These two international documents served as a template for the drafters of the Directive in 1995.
The main Principles in the Directive are data quality and lawfulness of data processing (Articles 6 and 7), access (Article 12), information regarding processing (Article 10), and confidentiality and security (Articles 16 and 17). It should also be taken into account that the Directive covers all gathering, collection, use, storage, and dissemination of personal data (with a narrow household exemption); and similarly employs a definition of personal information that is considerably wider than most Personal Identifiable Information (“PII”) used in the United States. Thus, the Principles are considerably broader than the idea of “notice and consent” that is sometimes present in U.S. law.Yet common ground had to be found for the practical implementation of a cross-border agreement. The result in terms of Safe Harbor is that the European principles have been distilled into notice, choice, onward transfer (transfer to third parties), access, security, data integrity, and enforcement.
A question remains, however, as to whether a new agreement can come into legal effect as the CJEU’s ruling was not so much an objection to the commercial practices of U.S. internet companies, but rather a critique at the wide scope of U.S. federal laws that allows for, in the eyes of the CJEU, unwarranted “mass surveillance.”Among the commentators of the case, the E.U.-U.S. Mission has attempted to refute Snowden’s allegations of American ‘spying’.The website Politico has quoted U.S. Ambassador Danny Spulveda as claiming that the Court decision was “fundamentally and demonstrably incorrect” and that the U.S. will provide the evidence regarding its (non-existent) spying activities to prove so.Yet, these protests have been contested by, for example, the Electronic Privacy Information Center (“EPIC”) which has stated that: “The United States continues to engage in the routine of mass surveillance of persons outside of the United States, including ordinary European citizens.”
The European Commission has released thirteen recommendations concerning transparency, redress, enforcement, and access by U.S. authorities in an attempt to salvage the Safe Harbor Agreement. According to the Commission:
“Privacy policies of self-certified companies should include information on the extent to which US laws allow public authorities to collect and process data transferred under Safe Harbour. In particular companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements.”
And further, “[i]t is important that the national security exception foreseen by the Safe Harbor decision is used only to an extent that is strictly necessary or proportionate.” 
More fundamentally, the CJEU’s approach places a strong emphasis on privacy and data protection; these human rights have a higher value than regular law. By contrast, the U.S. courts and lawmakers seem to take the view that albeit important, privacy is a right that can be legislated in law on par with any other interest. This dilemma is well expressed by Representative Joe Barton (R) of Texas: “If I put my pro-business hat on, I want to renegotiate this Safe Harbour agreement as soon as possible. But if I put my privacy caucus co-chairman hat on, I think the European Union has highlighted a substantial issue, that US privacy laws aren’t as strong as they could be.”
The CJEU ruling poses a dilemma for the more than four thousand U.S. companies who have availed themselves of the Safe Harbour Agreement by registering and self-certifying through an official U.S. website. On one hand, the CJEU ruling prevents them from sharing their customer data with U.S. law enforcement agencies; on the other hand, U.S. federal law obligates them to do just that. One solution may be for the U.S. companies to close their European offices, thereby avoiding the jurisdiction of the European Court. This may also be seen as a gain to the U.S. taxpayer, as these companies will now be liable for taxes at home. However, that may be easier said than done.The decision may also go the other way, as there have been some indications that companies are moving all their data to Europe “for safekeeping.”
Some commentators have suggested that the impact of the decision may not be as deep as first anticipated due to the other options for transferring personal data that already exist under Article 26 of the Directive. Under Article 26, companies are still able to transfer personal data outside the E.U. provided thatthe data subject has consented; yet not only must consent be freely given, it must also be specific, informed and unambiguous. It may therefore be more likely that one of the other derogation grounds will be used, such as a transfer being deemed necessary for (1)the performance of a contract (which would be most likely used by companies such as Facebook), (2)public interest reasons, (3) the protection of the data subject’s vital interests, or (4)legal compliance.. In practical terms, these may involve standard contractual clauses and binding corporate rules that have been pre-approved by the national data protection authorities.Yet, these solutions have been criticised for being costly to put in place, and prohibitive for small businesses.
In any case, it is in the interest of the E.U. and the U.S. to agree to a replacement scheme sooner rather than later. One compelling argument for a prompt solution is the burden the demand of individual case oversight places on national data protection authorities. In an age of austerity and an unfolding migrant crisis, few European governments have the means to allocate adequate resources to this task. Individual case oversight may also widen the gap of data protection practices across the European Union.. However, commentators are still skeptical of the potential of a Safe Harbour 2.0, fearing that it will suffer from similar ills as the initial agreement. Some have also suggested that the recently-entered-into Umbrella Agreement between E.U. and U.S. law enforcement agencies in regards to the protection of personal data can provide a suitable framework. Yet, this seems highly unlikely as the Umbrella Agreement is limited to the prevention, detection, investigation, and prosecution of criminal offenses, which remains under the competencies of the individual Member States, and not day-to-day business activities.
The CJEU found that the Safe Harbour Agreement was invalid, and subsequently the Irish High Court ordered the Irish Data Commissioner to investigate Schrems’ complaints against the social media platform. The outcome of that investigation has yet to be released, but in any event, Maximillian Scherms v.DPC has already promoted a swift reply from the European Commission, which has issued thirteen recommendations to ameliorate the Principles within three months of the CJEU’s decision. However, the case has not led to an immediate suspension of cross-border data transfers from the E.U. to the U.S. as Article 26 of the Directive provides alternative legal mechanisms for the cross-border transfer of personal data.. Further, the case has strengthened the long-overdue calls for reform of the Safe Harbour Agreement, which has previously been criticised for its weak enforcement mechanism and voluntary nature.
Some U.S. commentators, and the E.U.-U.S. Mission, seem to be caught by the arguably misguided notion that the case was about actual spying, and has therefore attempted to refute the allegations of illegal surveillance activities that were accepted by the Irish High Court. Yet this criticism seems to miss the point that the CJEU was not necessarily concerned with actual “spying”, but the potential that exists as long as U.S.C. 50 1888a, the Patriot Act, and the Executive Order 12333 are in effect. Thus, until U.S. legislators amend federal and possibly state laws to bridge this gap, Politico finds it difficult to see “Exactly how is the Obama administration going to reverse the perception that the U.S. has poor privacy protections?”Yet it should be recognised that significant progress has been made with the recent USA FREEDOM Act 2015 and the proposed Judicial Redress Act 2015 the latter targeted specifically to this fill this void.
Still the question remains as to whether these efforts will be enough to satisfy the European Court as long as Section 702 of Foreign Intelligence Surveillance Act (FISA) remains in force. It will also be worth following Senator Schakowsky’s privacy Bill as it makes it legislative journey.Perhaps these efforts, along with international pressures, may compel federal legislators to introduce stronger privacy laws across the United States.
Ann Kristin Glenster is a doctoral exchange student from the University of Cambridge Faculty of Law.