The EU-U.S. Data Protection Dispute and Possible Resolution

Early in February, the European Commission and the U.S. government agreed on a new framework for transatlantic data flows, which they are referring to as the “EU-U.S. Privacy Shield.” Lawyers advising clients with an online presence (i.e., almost all lawyers and almost all clients) typically have had little reason to be concerned about the agreement, or about the underlying issues that it seeks to resolve.

There are, however, significant practical reasons for lawyers—and clients—to care about transatlantic data flows and the Privacy Shield. That’s because, in the absence of this new framework, companies that transfer Europeans’ data to the United States—ranging from Facebook and Amazon to Google and thousands of other Internet leaders—risk being held accountable for violating European Union (EU) privacy standards. That risk could have led to a slowdown, or even a complete disruption, of those kinds of data transfers, which would have caused terrific damage to international commerce and the world economy. Indeed, until the Privacy Shield agreement is formally approved and adopted and all steps required by the new framework are taken, that harm remains a potential (and potentially substantial) risk.

This column discusses the background of the data transfer dispute and the significant aspects of the new EU-U.S. Privacy Shield.

Data Protection Directive

About two decades ago, in October 1995, the European Parliament and the EU Council adopted a directive regarding the processing of personal data and the free movement of that data. The “Data Protection Directive” provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data. The directive also provides that the European Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments. Finally, the directive provides for each EU Member State to designate one or more public authorities responsible for monitoring the application within its territory of the national provisions adopted on the basis of the directive.¹

Thereafter, the EU and the U.S. government agreed on a safe harbor that included a series of principles concerning the protection of Europeans’ personal data upon its transfer to the United States without being deemed a violation of the Data Protection Directive. About 4,000 U.S. companies signed on.

Court of Justice Ruling

All seemed to be working fine until a Facebook user and Austrian citizen, Maximillian Schrems, lodged a complaint with the Irish data protection commissioner asserting a violation of his rights under the Data Protection Directive. Schrems contended that some or all of the data he provided to Facebook was transferred from Facebook’s Irish subsidiary to servers located in the United States, where it was processed. He asserted that, notwithstanding the safe harbor and in light of revelations made in 2013 by Edward Snowden concerning the activities of the U.S. intelligence services (in particular the National Security Agency), U.S. laws and practices did not offer sufficient protection against surveillance by U.S. authorities of data transferred from the EU to the United States.

The Irish commissioner rejected Schrems’ complaint on the ground, in particular, that the European Commission previously had determined that the safe harbor ensured an adequate level of protection of personal data transferred from the EU to the United States.

The EU Court of Justice, however, did not agree with that ruling. Last October, it determined that the safe harbor was invalid.²

In its decision, the Court of Justice explained that the safe harbor was applicable only to U.S. entities that adhered to it—and that the U.S. government was not subject to it. Moreover, the Court of Justice declared, “national security, public interest and law enforcement requirements of the United States” prevailed over the safe harbor, so that U.S. companies were “bound to disregard” the protective rules laid down by the safe harbor where they conflicted with those requirements. It then found that the safe harbor enabled “interference” by the U.S. government, with “the fundamental rights” of Europeans and, therefore, that the safe harbor was invalid.

Accordingly, the Court of Justice told the Irish commissioner to examine Schrems’ complaint to decide whether, pursuant to the Data Protection Directive, the transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that the United States does not afford an adequate level of protection of personal data.

EU-U.S. Privacy Shield

The European Commission and the United States had been engaged in negotiations to revise the safe harbor for some time before the Court of Justice’s decision. After that ruling came down, the parties recognized the need to reach an agreement on a new safe harbor (or, as it turned out, a substitute).

Moreover, there was a looming deadline—the end of January 2016—that was set by the so-called “Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data,” an independent advisory body on data protection and privacy established under Article 29 of the Data Protection Directive that is composed of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor, and the European Commission.

In a statement after the Court of Justice decision,³ the Article 29 Working Party called for an “intergovernmental agreement providing stronger guarantees to EU data subjects.” The Article 29 Working Party said that any solution had to include “clear and binding” mechanisms and obligations on the oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms, and on data protection rights. It concluded by stating that if, by the end of January 2016, no appropriate solution was found with the U.S. authorities, the EU data protection authorities were “committed to take all necessary and appropriate actions,” including “coordinated enforcement actions.”

The European Commission and the U.S. government just missed that deadline, but subsequently they announced an agreement on a new framework for transatlantic data flows: the EU-U.S. Privacy Shield. In a statement,⁴ the European Commission indicated its belief that the Privacy Shield reflected the requirements set out by the Court of Justice in its ruling declaring the Safe Harbor invalid. It also said that the new arrangement would protect the “fundamental rights of Europeans where their data is transferred to the United States” and that it would “ensure legal certainty for businesses.”

The European Commission added that the agreement provided “stronger obligations on companies in the U.S. to protect the personal data of Europeans” as well as “stronger monitoring and enforcement” by the U.S. Department of Commerce and the Federal Trade Commission (the FTC), including through increased cooperation with European data protection authorities (DPAs). In addition, the European Commission added, the new arrangement included commitments by the U.S. government that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement would be subject to “clear conditions, limitations and oversight,” preventing generalized access. Europeans also would be able to raise any inquiry or complaint before a dedicated new Ombudsperson, the European Commission said.

The exact details of the Privacy Shield have not yet been fully made public, but the European Commission indicated in its statement that the elements of the agreement include:

• Obligations on companies handling Europeans’ personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to “robust obligations” on how personal data is processed and individual rights are guaranteed. The U.S. Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the FTC. In addition, any company handling human resources data from Europe has to commit to comply with decisions by the European DPAs.
• Clear safeguards and transparency obligations on U.S. government access: For the first time, the U.S. government has given the EU written assurances that the access of public authorities for law enforcement and national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms. Under the new framework, these exceptions must be used only to the extent “necessary and proportionate.” The U.S. government ruled out indiscriminate mass surveillance on the personal data transferred to the United States under the new arrangement. In addition, to regularly monitor the functioning of the arrangement there will be an annual joint review, which also will include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and will invite national intelligence experts from the U.S. and the European DPAs to attend and participate in it.
• Effective protection of EU citizens’ rights with several redress possibilities: Any European citizens who consider that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. The European DPAs can refer complaints to the U.S. Department of Commerce and the FTC. In addition, alternative dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.

Conclusion

The European DPAs and other parties and interest groups will no doubt be commenting on the agreement creating the Privacy Shield, and its full details remain to be seen. In the meantime, the agreement for the new framework suggests that the European Commission as well as the U.S. government recognize the importance of finding a solution to the problem created by the Court of Justice’s decision striking down the safe harbor. If things work out as those entities expect, then the Court of Justice ruling will have caused no more than a hiccup for the companies specifically affected by it. If things do not work out for one reason or another, then there very likely may be a great deal of confusion and interruptions on the Internet, as everyone will discover.

Stay tuned.

Endnotes:

1. See Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

2. See “Court of Justice declares Commission’s U.S. Safe Harbor Decision invalid,” available at http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf.

3. See “Statement of the Article 29 Working Party” (Oct. 16, 2015), available at http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf.

4. See “European Commission and United States have agreed on new framework for transatlantic data flows: the EU-US Privacy Shield” (Feb. 2, 2016), available at http://europa.eu/rapid/press-release_IP-16-216_en.htm.