On October 6, 2015, Europe’s highest court struck down the international agreement that had allowed companies to move digital information between the United States and the European Union for the past 15 years (the “U.S.-EU Safe Harbor” or the “Framework”). The European Court of Justice held that, by allowing U.S. law enforcement officials unfettered access to the data of EU citizens, the Framework failed to adequately protect the privacy rights of those citizens. The ruling came shortly after an advisor to the European Court of Justice commented publicly that the Framework should be discarded due to “mass, indiscriminate surveillance” by the United States. The October 6 ruling, which cannot be appealed and went into effect immediately, affects all companies with offices, employees or business relationships in Europe.
The U.S.-EU Safe Harbor was agreed to in 2000 after the EU found that the United States did not meet the EU “adequacy” standard for privacy protection pursuant to the European Commission’s Directive on Data Protection. In order to provide a way for U.S. organizations to satisfy the Directive’s adequacy requirement, the U.S. Department of Commerce, in consultation with the European Commission, developed the Safe Harbor Framework. Under the Framework, once self-certifying that they were compliant with the Framework, U.S. businesses were deemed to provide adequate privacy protection and were authorized to transfer data to and from the EU. Also significant, claims brought by EU citizens against U.S. organizations that are participants in the Safe Harbor program will be heard in the United States.
However, in recent years, the U.S.-EU Safe Harbor has been criticized by many, resulting in protracted negotiations between the European Commission and the United States regarding an updated Framework for data transfer. Moreover, revelations regarding U.S. security practices have given rise to legal challenges to Safe Harbor, such as the 2013 complaint regarding Facebook’s compliance with EU data privacy rules that led to the October 6 holding. When that complaint was rejected by the Irish data protection authority on the basis that it was bound by the Framework, the plaintiff appealed to the European Court of Justice, which determined that the Irish Authority not only had the right to investigate, but must do so. In the wake of this ruling, data protection regulators in each of the EU’s 28 countries will have oversight over how companies collect and use online information of their countries’ citizens. Many European countries have widely varying stances toward privacy; for example, the U.K. and German approaches differ greatly. While, generally, there has been a movement toward harmonization of national privacy rules, the October 6 ruling may delay such progress.
This decision by the European Court of Justice is likely not the final word on this issue. In the United States, Commerce Secretary Penny Pritzker decried the ruling, stating that she was disappointed in the European court’s decision, which “puts at risk the thriving transatlantic digital economy.” Pritzker’s comments were echoed by lawmakers on both sides of the aisle. Several Republican members, including Senate Commerce Committee Chairman John Thune (R-SD), also expressed disappointment in the decision and urged negotiators to reach a new, updated data-sharing agreement. Sen. Ron Wyden (D-OR) said that the decision was “misguided” and would unfairly impact U.S. businesses. Secretary Pritzker has said that, despite the ruling and its negative impact on U.S. businesses, the United States will continue to work with EU officials to update the Framework.
In the EU, Frans Timmermans, the first vice president for the European Commission, which will be charged with carrying out the ruling, attempted to ease the concerns of companies by stating that businesses could still move European data to the United States through other existing methods. However, there are concerns about the continued validity of these approaches as well, in light of the October 6 ruling.
Although the October 6 decision does not order an immediate end to personal data transfers, it does allow national regulators to suspend them on the basis that they do not provide sufficient privacy protections. This will affect the approximately 4,500 companies that currently use U.S.-EU Safe Harbor to transfer payroll, human resources and other data from the EU to the United States or vice versa, and/or store that data on cloud services in the United States. As a result of the October 6 ruling, firms that wish to store Europeans’ data in the United States or transfer that data to Europe will need to set up alternate arrangements and prepare for challenges from the European regulators. This may be an especially complex exercise in light of potentially differing approaches to data flows in the EU. Additionally, even private disputes brought against U.S. companies related to data privacy issues may no longer be heard in the United States, subjecting companies to litigation oversees. Akin Gump Strauss Hauer & Feld lawyers can help businesses navigate the implications of the October 6 ruling, including ensuring that businesses are in compliance with the relevant EU data protection regulations.