Legal uncertainty continues in the wake of the Court of Justice of the European Union's decision to throw out the Safe Harbor agreement between the United States and the European Union concerning the international transfer of data.
Pursuant to the 15-year-old agreement, companies in the United States that self-certified their compliance with the EU's standards allowed them to transfer data from the EU to the U.S. without fear of violating the more stringent data laws found in the European Union.
American companies were left scrambling when the Safe Harbor was struck down in early October and the ensuing moves by data regulators across the globe have provided limited clarity. Below are a few of the actions taken by various government authorities in response to the Schrems decision.
- The Article 29 Working Party, comprised of European data protection agencies, issued a statement on the CJEU's opinion, calling on member states of the EU and the U.S. authorities to work on finding a solution to allow the safe transfer of data while protecting EU citizens' fundamental rights. The group indicated it will continue to analyze the impact of the Schrems decision on other data transfer mechanisms, such as binding corporate rules and contractual clauses, although businesses may continue to rely on these agreements for now. The Working Party also set a deadline for the EU and the U.S. to agree on a new agreement. Safe Harbor 2.0 must be decided upon by the end of January, the group said, or American companies will begin to see enforcement actions.
- The EU case began with a complaint filed by Austrian citizen Max Schrems with the Irish Data Protection Commissioner (DPC) against a social networking site, seeking to halt the transfer of his personal data to the U.S. in light of revelations about the surveillance activities of the National Security Agency (NSA). The DPC refused to investigate the complaint in 2013. But in light of the CJEU's decision, the Irish High Court ordered the country's DPC to launch an investigation into Schrems' complaint. DPC Helen Dixon confirmed that she would proceed to "investigate the substance of the complaint with all due diligence" in what is likely to be the first test of the CJEU's opinion.
- In Germany, the Data Protection Authorities published a position paper to address the aftermath of the revocation of the Safe Harbor agreement. Based on the decision, the DPAs will prohibit data transfers from the country to the U.S. that are based only on the Safe Harbor, and consider questionable data transfers based on other mechanisms—such as contractual clauses or binding corporate rules. The position paper also stated that the German DPAs will not issue new approvals for data transfers to the U.S. at this time.
- The impact of the decision has been felt outside of the EU as well. The Israeli Law, Information and Technology Authority revoked its prior authorization to transfer data from Israel to the U.S. in reliance upon the Safe Harbor agreement. Israel was one of 11 countries—others include Canada and New Zealand—that obtained "adequacy" status under the EU's Data Protection Directive allowing the free flow of personal data from Israel to the EU and by extension, the U.S., pursuant to the Safe Harbor. Given the findings in Schrems, Israel's data authority revoked approval for data transfers to the U.S.
- In the United States, lawmakers attempted to help the situation by passage of the Judicial Redress Act (H.R. 1428), which would enable foreign citizens to bring civil actions under the Privacy Act of 1974 against certain U.S. government agencies "for purposes of accessing, amending or redressing unlawful disclosures of records maintained by an agency." The bill was a sticking point with the European Commission in earlier negotiations to renew the Safe Harbor agreement and the Schrems decision pushed House lawmakers to pass the measure and send it to the Senate. "Today's bipartisan passage of the Judicial Redress Act will help restore our allies' faith in U.S. data privacy protections and helping facilitate agreements … that strengthen our trans-Atlantic partnerships with Europe," co-sponsors Reps. Jim Sensenbrenner (R-Wis.) and John Conyers (D-Mich.) said in a joint statement along with Rep. Bob Goodlatte (R-Va.).
To read the Statement of the Article 29 Working Party, click here.
To read the Judicial Redress Act, click here.
Why it matters: The fallout from the Schrems decision is far from over. The U.S. and EU were already in talks to update the Safe Harbor agreement. Now the negotiations are even more complicated and a deadline is fast approaching. Federal Trade Commission member Julie Brill recently spoke at an international privacy conference and said the decision "has placed us at a critical juncture, where we need to reflect on the deep values that we share, be honest about the nature of our similarities and differences and assess the steps we need to take in order to develop a truly trusted framework for the transatlantic flow of information."