The Demise of Safe Harbor and Rise of Privacy Shield
On October 6, 2015, the European Court of Justice (“ECJ”) ruled the US-EU Safe Harbor agreement invalid. The international agreement permitted companies to transfer digital information across the Atlantic, originating in the European Union (“E.U.”) and traveling to the United States (“U.S.”).
Law student Maximillian Schrems, an Austrian citizen, initiated the complaint with the Irish Data Protection Authority (“DPA”) alleging that, in light of the 2013 Snowden revelations, E.U. citizen data transferred to the United States was not adequately protected against surveillance by U.S. public authorities.
The ECJ determined that the European Commission (“EC”), which approved the Safe Harbor agreement, overstepped its authority by not incorporating necessary protections and by denying DPAs the right to complete investigations and enforce the E.U. data protection regime against companies self-certified under Safe Harbor.
The ECJ’s ruling left companies scrambling to develop a new framework for transferring data to the U.S. without violating E.U. laws.
E.U. vs U.S.
The distinct U.S. and E.U. approaches to data protection and privacy are at the center of controversy. Data protection in the E.U. is approached through a more centralized system of strong privacy protections for individuals. Conversely, privacy law in the U.S. has been more elusive. The Constitution does not directly address privacy, and today’s laws are the result of a storied and controversial case law history. Many argue that current U.S. law has not kept up with important changes in technology. Social media, cameras, drones, and data mining are just a few examples of challenges to American privacy law.
By contrast, the E.U.’s more centralized approach considers data privacy a “fundamental right” for all persons in the E.U. This right is contained in the European Charter of Fundamental Rights which is incorporated into the 2009 Lisbon Treaty, the constitutional basis for the European Union. Along with the E.U.’s 1995 Data Protection Directive 95/46/EC (“1995 Directive”), which provides an overarching legal framework regulating both commercial and law enforcement uses of data, the E.U. promotes citizens’ rights to data privacy over trade, innovation, and law enforcement.
The E.U.’s privacy and data protection laws afford citizens more personal security than Americans enjoy under U.S. law.
The Safe Harbor framework was created in response to the E.U’s strict 1995 Directive. The Directive specifically prohibits the transfer of personal data gathered within the E.U. for commercial purposes to countries outside the E.U. that do not meet an “adequate” level of data protection. Safe Harbor came into effect in 2000 and has been the exclusive framework used by many U.S. companies to conduct business with the E.U.
Drafted to promote the open flow of data between the U.S. and E.U., Safe Harbor was a self-regulatory system whereby U.S. companies could achieve self-certification for data protection by claiming they had complied with the seven Safe Harbor Privacy principles. Upon self-certification, U.S. companies were automatically deemed to have met an “adequate” level of data protection.
With the ECJ’s decision suspending use of Safe Harbor, the U.S. and E.U. governments urged companies to stay calm while a new agreement was negotiated. Unfortunately for businesses, an atmosphere of legal uncertainty following the decision made it difficult to make concrete plans for the future. Alternative options for transferring personal data outside of the E.U. in lieu of Safe Harbor were only partially reliable since many require very specific conditions. In some instances, American companies had to also consider building or outsourcing personal data to European data centers. Other than express consent from an individual to transfer his or her personal data to governmental authorities, alternatives to Safe Harbor implicated a very costly and legally risky result. Placing at stake continued U.S. growth in transatlantic trade, leaders pushed for the quick adoption of a new and compliant framework.
The significance of replacing Safe Harbor goes as far as affecting current Transatlantic Trade and Investment Partnership (“TTIP”) negotiations. Safe Harbor 2.0 talks became a sticking point for TTIP, specifically because of the E.U.’s focus on data protection.
The value of sorting out a robust agreement on data protection and privacy has been significantly urgent with recent efforts toward an Umbrella Agreement, Safe Harbor 2.0, and, ultimately, TTIP. Initially, negotiations towards an Umbrella Agreement halted due to delay on the U.S. Judicial Redress Act, which would allow E.U. citizens the right to seek judicial redress in the U.S. in the case of a data breach. This delay also had an effect on revision of Safe Harbor prior to the ECJ ruling. Once the ECJ struck down Safe Harbor’s validity, the need for implementation of the U.S. Judicial Redress Act became specifically necessary.
The Redress Act passed the Senate Judiciary Committee with amendment, but it is still awaiting a floor vote in the Senate. The Act will not protect personal data transferred to the U.S., but it will provide E.U. citizens the same rights under the Privacy Act as those afforded to U.S. citizens and residents.
Additionally, not all E.U. citizens are included under the Redress Act, only those within E.U. member states the Attorney General designates as “covered countries.”
Talks on TTIP regarding data protection should continue forward if both implementation of the U.S. Judicial Redress Act and finalization of a satisfactory Safe Harbor 2.0 agreement occur.
Ultimately, the stall on Safe Harbor greatly affected businesses and consumers in both the US and EU.
E.U. and U.S. authorities were given until the end of January 2016 to develop a Safe Harbor 2.0 that integrated the necessary data and privacy protections. Although negotiations did not render a new agreement by the deadline, emergency talks generated a deal Tuesday, February 2, 2016.
The new framework, fresh with a newly-minted title: the EU-US Privacy Shield, still requires review by the Article 29 Working Party and the College of Commissioners. The EC has provided a limited release of elements found in the official agreement which include the following:
Strong obligations on companies handling Europeans' personal data and robust enforcement,
Clear safeguards and transparency obligations on U.S. government access, and
Effective protection of EU citizens' rights with several redress possibilities.
Additionally, the EC will revisit adequacy of the overall agreement and U.S. commitments and performance on a yearly basis, indicating that companies will not enjoy a long-term agreement through Privacy Shield as they did with Safe Harbor.
Note: This post is cross-published here.