Special Edition September 2015 Print Version For more information, please contact: Brian Hengesbaugh Partner, Chicago +1 312 861 3077 firstname.lastname@example.org Harry Small Partner, London +44 20 7919 1914 email@example.com Anne-Marie Allgrove Partner, Sydney +61 2 8922 5274 firstname.lastname@example.org Frequently Asked Questions on the Advocate General's Opinion on the US-EU Safe Harbor Program What did the Advocate General decide regarding Safe Harbor? The Advocate General for the European Court of Justice has just issued a much anticipated, non-binding opinion regarding the EU/US Safe Harbor Privacy Arrangement (Advocate General's Opinion in Case C-362/14, Maximillian Schrems v. Data Protection Commissioner). Going beyond the specific question posed in the case, the Advocate General proposed to the ECJ that Safe Harbor as a whole should be deemed invalid. Is the US-EU Safe Harbor Program now invalidated or terminated? No. The program continues to be valid and effective at the present time. Since its inception in 2000, various EU institutions, politicians and national authorities have criticized and challenged the program, but it remains valid with binding effect today. What question was the ECJ asked to resolve? The ECJ was asked to consider whether the Irish Data Protection Commissioner "may and/or must" independently evaluate whether the third country (in this case, the United States through the implementation of Safe Harbor) offers "adequate protection" for personal data within the meaning of the European Data Protection Directive (95/46/EC), or whether the Irish Data Protection Commissioner is bound by European Commission's Article 25(6) decision in this regard. The concerns in the underlying case related to the extent of data accessed by the US National Security Agency and other US authorities as described in Edward Snowden's revelations in 2013. What are some of the key concerns with the Advocate General's opinion? Although it is clear that the Advocate General's views are motivated by a strong and genuine concern for data protection and civil liberties, it is equally clear that there are issues with the opinion's analysis and conclusions. Among other concerns, the opinion makes frequent references to the US government's perceived "mass and indiscriminate surveillance and interception" of personal data. It does not, however, address nor analyze in any meaningful detail the many changes in US law and policy that have Lothar Determann Partner, Palo Alto +44 20 7919 1914 email@example.com Michael Schmidl Partner, Munich +49 89 552 38155 firstname.lastname@example.org Robbie Downing Consultant, London +44 20 7919 1914 email@example.com Daniel Krone Partner, Munich +49 89 5523 8156 firstname.lastname@example.org occurred since those revelations came to light. The USA Freedom Act was signed by President Obama in June of 2015 and includes provisions protective of privacy and civil liberties, including: elimination of bulk data collection of call data from providers by imposing requirements for specific selection terms; permission for FISA courts to appoint an individual or organization to provide, among other things, legal arguments that advance the protection of individual privacy and civil liberties; requirements for FISA courts to find that the data collection procedures meet applicable standards for data minimization; and allowance of certain nondisclosure orders to be challenged immediately by the recipient. With regard to policy changes, President Obama issued in January of 2014 Presidential Policy Decree 28 (“PPD-28”), which applies to all signals intelligence activities (electronic system monitoring) and provides that “[p]rivacy and civil liberties shall be integral considerations” in such activities. PPD-28 sets out specific principles to be followed for safeguarding personal data collected from signals intelligence activities, including: (i) minimization; (ii) data security and access; (iii) data quality; and (iv) oversight. PPD- 28 also includes requirements for privacy and civil liberties policy officials, a coordinator for international diplomacy related to foreign inquiries on signals intelligence and periodic reporting by the Director of National Intelligence. From a transatlantic perspective, the EU-US data protection "Umbrella Agreement" has now been approved by US and European authorities. This Umbrella Agreement establishes a comprehensive, high-level data protection framework for EU-US law enforcement cooperation and to provide safeguards and guarantees of lawfulness for data transfers. In particular, once implementing legislation is adopted, EU citizens will under the agreement have the same judicial redress rights as US citizens in case of privacy breaches. Moreover, although the opinion suggests that the European Commission has taken no action to update the Safe Harbor since its inception, the European Commission and the US Department of Commerce are engaged in a comprehensive review of Safe Harbor. Such agreement is reportedly very close to completion, and would establish an updated Safe Harbor program that addresses the European Commission's specific points of concern with the program. If adopted, what would the opinion mean for Safe Harbor companies and their European trading partners? European companies who have been doing business with participants in the US-EU Safe Harbor program would have to revisit their compliance obligations and options, which could disrupt Denise Lebeau-Marianna Partner, Paris +33 1 44 17 53 33 email@example.com Francesca Gaudino Partner, Milan +39 0 2762 31452 firstname.lastname@example.org Julia Wendler Partner, Munich +49 89 552 38242 email@example.com Harry Valetk Of Counsel, New York +1 212 626 4285 firstname.lastname@example.org their data protection compliance programs and established business relationships. They may have to ask their US counterparties to consider standard contractual clauses, binding corporate rules or other approaches, which would have an impact also in terms of cost, time for implementation and administrative burdens. European companies may have to update their filings with data protection authorities as well as all information notices (e.g., privacy policies, IT policies, removal of safe harbor notices and all informative documents) which in accordance with EU Privacy Laws or Safe Harbor Agreement requirements previously indicated that they have relied on the Safe Harbor Program to transfer data to the United States. Also, European companies may become subject to approval requirements with local data protection authorities for data transfers in the US. If adopted, what would the opinion mean for European data protection? The decision would materially lower the protection for European personal data in the United States because it would eliminate the role of the FTC. Regardless of any perceived shortcomings in Safe Harbor enforcement, the reality is that the FTC has pursued dozens of Safe Harbor cases to conclusion, and US companies are greatly motivated by concerns about FTC enforcement actions. It is an extraordinary benefit for European data protection that the FTC will enforce European data protection rights against US companies on US territory. All of this would be forfeited under the views in the opinion. It would also call into question the validity of European Commission decisions of adequacy for other countries and systems, or at a minimum invite Member State data protection authorities to second guess the validity of the decisions. If this approach is followed, the validity of alternative means of trans-border data flows such as model clauses and binding corporate rules may be revisited, with potential negative consequences for companies. The surveillance and data collection programs by the intelligence services of the United States and its European allies would likely not be affected in any way by a discontinuation of the Safe Harbor. The intelligence services have been closely cooperating for many years on both sides of the Atlantic, and in fact many European countries have enacted strict anti-terror laws that have arguably lowered data protection standards. What Happens Now? We await the decision of the ECJ. The date of the decision cannot be predicted with certainty but it is likely several months away. What should Safe Harbor companies do now? Amy de La Lama Of Counsel, Chicago +1 312 861 2923 email@example.com Benjamin Slinn Associate, London +44 20 7919 1783 firstname.lastname@example.org Michael Egan Associate, Washington, D.C. +1 202 452 7022 email@example.com Companies should consider additional or alternative arrangements to legitimize international data transfers, such as model agreements, reliance on derogations such as consent or perhaps, where practical, development of binding corporate rules. As with all data protection issues, there can be no one-size-fits all solution for these issues. In any event, companies will need to stay tuned to the final developments on the US-EU discussions on Safe Harbor, the implementing legislation for the Umbrella Agreement, and the ECJ's approach to these issues.