“Aside from taking an ax to the undersea fiber optic cables connecting Europe to the United States, it is hard to imagine a more disruptive action to trans-Atlantic digital commerce.”
That was the measured reaction of the Washington think tank the Information Technology and Innovation Foundation to the news that the Court of Justice of the European Union had torn up the Safe Harbor privacy protection agreement on the transfer of personal data from the EU to the U.S.
But the European Commission seemed unperturbed by the abrupt end of the agreement it struck with the U.S. government in July 2000 to ensure that the personal data of Europeans was granted the same legal protections in the U.S. as it was in the EU.
Commission members Frans Timmermans and Věra Jourová took time out from discussing the ongoing refugee crisis in Europe to tell citizens that their main priority is protecting personal data transferred across the Atlantic, and to reassure businesses that their other main priority is continuing the flow of data — with appropriate safeguards. Timmermans said the court’s ruling is “an important step towards upholding Europeans’ fundamental rights to data protection” while Jourová said it gave the Commission a better potential for continuing negotiations on a “safer Safe Harbor” agreement with U.S. authorities.
The two dismissed suggestions that the ending of Safe Harbor would bring an abrupt halt to the trans-Atlantic transfer of personal data, pointing out that European legislation also provides for a number of other ways of guaranteeing the privacy of such data.
Edward Snowden’s revelations in 2013 of the extent to which U.S. intelligence services were able to access personal information held by companies such as Google and Facebook led the Commission to identify the shortcomings of Safe Harbor and to begin renegotiating the agreement with U.S. authorities, Jourová said.
That same year, a young Austrian law student, Max Schrems, filed a complaint with the Irish Data Protection Commissioner about the way his personal data was being handled by the Dublin-based Facebook Ireland. The DPC promptly rejected Schrems’s complaint, saying Facebook’s transfer of his data to the U.S. complied with the Safe Harbor rules. Schrems sought a judicial review of the decision from the Irish high court, which in turn asked the CJEU to rule whether the DPC was right to defer to the Commission’s Safe Harbor agreement or whether it should have investigated the complaint.
On Tuesday the CJEU told the Irish DPC it had a duty to investigate. Then it went much further, deciding that the Safe Harbor agreement was invalid anyway as it only bound companies, not U.S. intelligence and law enforcement agencies, to comply.
That decision will reinforce the Commission’s position in its negotiations with U.S. authorities on the new Safe Harbor agreement: Its hands are now tied by the court’s ruling, which limits the concessions it can make.
There’s no telling how long it will take to conclude negotiations, Jourová warned: “I wanted to finalize them before the summer, but I found we needed more time for the national security items.”
Meanwhile, the Commission has two strategies for reducing the legal uncertainty created by the death of safe harbor.
The first strategy is to encourage companies to switch to one of the other methods of protecting data transfers that are provided for in existing law. These, Jourová said, include the use of standard data protection clauses in contracts between companies or binding corporate rules within a corporate group.
Data can also be transferred on the basis of performance of a contract, she said, giving the example of a hotel booking that can only be completed if the data is sent to the hotel, or if it is in the vital interests of the data subject — for instance, transmitting their medical records in a life-or-death situation.
In the absence of other grounds for transfer, data can still be sent out of the EU with the free and informed consent of the individual, she said. Expect a flurry of revisions to privacy policies in the coming weeks.
With the court giving national data protection authorities carte blanche to conduct their own investigations into privacy policies, the Commission’s other strategy for reducing uncertainty is to ensure they all follow the same rules.
“We will come up with clear guidance for DPAs on how to deal with the transfer of data to the U.S. in the light of the ruling,” Timmermans said. “As businesses need legal certainty, the guidance should help avoid a patchwork of conflicting decisions by DPAs.”
Privacy regulators are evidently thinking along the same lines: The Article 29 Working Party, the umbrella organization for the EU’s national privacy regulators, said Tuesday that it will meet shortly to provide a coordinated analysis of the court’s decision.
It’s a busy time for Brussels privacy experts: The Commission has two other major privacy projects on the go, both of which Jourová is confident can be completed by year’s end.
One is the so-called umbrella agreement with U.S. authorities, governing the access law enforcers have to personal data and providing European citizens with the same right to legal redress if their privacy is violated as U.S. citizens would enjoy in Europe.
The other is to bring the EU’s existing data protection law up to date. The current rules were set by the 1995 Data Protection Directive, before companies such as Facebook or Google existed. In 2012 the Commission proposed a regulation further harmonizing privacy laws across the EU while giving more power to national regulators, and is now close to agreement with the EU’s other lawmaking bodies, the Council and the Parliament, on a final text.