European Court of Justice Decision Casts Data-Sharing Pact Between U.S. and European Union into Doubt

October 13, 2015

If one were to take a walk on one of the beaches on France’s famed Riviera, he or she may assume that Americans value their privacy more than Europeans.  However, a recent decision by European Court of Justice proves the contrary is true, at least for personal data.
Recently the European Court of Justice has called the European Union-United States Safe Harbor Framework into question.  The Framework, which went into effect in 2000, aimed to make it easier for U.S. organizations to collect data about E.U. citizens.  The decision leaves about 4,500 U.S. companies in a state of purgatory with their business operations relating to the data transfer of data about E.U. citizens.
The story of the Safe Harbor framework starts in 1998 when the European Commission enacted its Directive on Data Protection.  This directive prohibited the transfer of personal data from European Union members to third countries that do not provide, either through domestic legislation or international commitments, an “adequate” level of protection.  In order to enforce the Directive on Data Protection, the European Commission, called upon all member-states to designate a public authority to monitor the national application of the Directive.
In order for the U.S. to comply with E.U. Directive on Data Collection, the U.S. Department of Commerce in conjunction with the European Commission created the Safe Harbor Framework.  The Safe Harbor Framework was meant to ensure that U.S. organizations receiving personal data from members of the E.U. would adhere to privacy standards essentially equivalent to those in the E.U.  In order to receive data from the E.U. under the Safe Harbor Framework, a U.S. organization would have to publically declare that it would comply with the principles set forth by the Safe Harbor Framework.  After an organization publicly announced its compliance, it could receive data from the E.U.
Fast forward to 2013, an Austrian Facebook user named Maximilian Scherms filed a complaint with the monitoring authority in Ireland stating that the U.S. did not provide an adequate level protection for his personal data. (As a side note: Facebook’s main European Server is in Ireland, so all Facebook data that gets transferred to the U.S., gets transferred to the U.S. from Ireland).  The complaint was motivated by the Edward Snowden leaks, most notably about the NSA, that the laws and government of the United States do not adequately protect personal information from government surveillance.   The monitoring authority in Ireland dismissed the complaint stating that the European Commission had already written a decision stating that the United States did, in fact, provide an adequate level of privacy.
Consequently, Scherms brought suit before the Irish High Court, which handed the case up the European Court of Justice for a preliminary ruling.  The ECJ found that the existence of a decision by the European Commission on whether or not a third country provides adequate privacy protections of personal data should not preclude the monitoring authority from investigating claims of whether a third country complies with the standards mentioned in the Directive.  Thus, the ECJ gave the public authorities in the E.U.’s member states the power to investigate claims that a third country does not give adequate privacy to personal data and suspend the transfer of data to those countries.
The ECJ also called into question the European Commission’s scrutiny of the Safe Harbor Framework.  It noted that the point of the Safe Harbor Framework was meant to ensure that the U.S. was providing a level of data protection essentially equivalent to that provided in the E.U. either by its domestic laws or it international obligations.
However, the ECJ never reached the question of whether the Safe Harbor framework provided an equivalent set of privacy protections. Instead, the ECJ found that only private entities were subject to the Safe Harbor Framework and that public entities were not.  Further, the court made note that where there was a conflict between an organization’s obligations to the Safe Harbor framework conflicted with the internal laws of the United States, the internal laws of the United States would prevail.  Thus, if Congress or a government agency created a law or regulations conflicting with the principles set forth in the Safe Harbor Framework, the organization would act in accordance with the U.S. legislation or regulations.  In effect, the Safe Harbor Framework might become illusory if Congress or an agency so decides.  In that sense, the decision seems logical, especially given the ever-changing state of privacy laws in the United States.
However logical the ECJ’s decision may seem, it leaves U.S. businesses scratching their heads.  Before, the Safe Harbor Framework was fastest and most efficient means of acquiring data from Europe.  Now, it’s in a state of flux.

At any time a monitoring authority may pull the plug on the Safe Harbor Framework.

Some companies have seen this coming and have used European Approved model contract clauses.  It should be noted that these clauses limit the amount of personal data that a U.S. organization can receive.  Also, the U.S. and Europe have been discussing a new Safe Harbor Framework II for almost two years.
Thus, while the decision is certainly a blow to the Safe Harbor Framework and the organizations that rely on it, it should not be seen as definitive stop of data sharing between the U.S. and the E.U.  There are still methods by which U.S. organizations can obtain personal data from Europe and it looks like a new safe harbor framework might be reached before the rug gets pulled out on the current one.