Not surprisingly, different governments and regulatory bodies have different views on how to strike the right balance as to the protection of the individual’s right to privacy (especially personal data), the facilitation of international commerce, and national security initiatives, and this was all too apparent in the Court of Justice of the European Union’s recent decision in Schrems v. Data Protection Commissioner, Case C-362/14, Judgment of the Court (Grand Chamber) (October 6, 2015). In that case, the Grand Chamber of the Court declared invalid the European Commission’s Safe Harbor Decision of July 26, 2000 (Decision 2000/520/EC Pursuant to Directive 95/46 (July 26, 2000) (the “Safe Harbor Decision 2000/520”)), which had previously held that the Safe Harbor Privacy Principles, issued by the U.S. Department of Commerce on July 21, 2000 (Annex 1 to Decision 2000/520, Safe Harbor Privacy Principles (July 21, 2000) (the “Safe Harbor Privacy Principles”)), provided adequate protection for transfers of personal data from organizations in European Union Member States to the United States. Earlier this month, in the wake of this significant decision, it was announced that an agreement in principle has been reached between E.U. and U.S. officials concerning a new trans-Atlantic data transfer pact (the E.U.-U.S. Privacy Shield), which includes making efforts on both sides of the Atlantic to address the concerns raised in the Schrems decision. Yet, absent specific details about this pact, both regulators and companies have been left questioning the adequacy of the interim data protection measures that are currently in place at thousands of impacted companies, particularly major technology companies. This article assesses the Schrems decision (and the very recent politically-charged negotiations and announcements that have followed) in the context of the system that was put in place to regulate transfers of personal data between the European Union and the United States. Specifically, the article highlights the key implications that this decision, the recent announcement of general details about the E.U.-U.S. Privacy Shield, and currently ongoing regulatory reactions (especially by European data protection agencies), will have for many companies based in both Europe and the United States that are now scrambling to ensure that their interim data protection measures are sufficient moving forward.
Regulating the Processing of Personal Data and Transfers of Such Data from European Union Member States to the United States
Within the European Union, an individual’s right to privacy is protected by the Charter of Fundamental Rights of the European Union and the Data Protection Directive 95/46 of the European Parliament and Council (“Directive 95/46”). With regard to the processing of personal data and the free movement of such data by organizations, a system was implemented to prohibit transfers of personal data from within Member States to other countries that do not ensure an adequate level of protection. Yet, rather than defining what an “adequate level of protection” actually means, Article 25(2) of Directive 95/46 instructs the European Commission to make such assessments “in light of all the circumstances surrounding a data transfer operation or set of operations” affording particular attention to: (1) the nature of the data; (2) the purpose and duration of the proposed operations; (3) the country of origin and the country of final destination; (4) the rules of law, both general and sectoral, in force in the third country in question; and (5) the professional rules and security measures which are complied with in that country. In order to promote a level of predictability, transparency, and efficiency, the European Commission has the authority to enter into negotiations with non-European Union states and make subsequent findings on whether those states ensure an adequate level of protection under their domestic laws.
For the purpose of the analysis provided below, it is important to also note that the Safe Harbor Privacy Principles contain a major caveat, which notes that adherence to the Principles may be limited: (1) to the extent necessary to meet national security, public interest, or law enforcement requirements; (2) by statute, government regulation, or case-law that creates conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization; or (3) if the effect of the Directive or Member State law is to allow exceptions or derogations, provided such exceptions or derogations are applied in comparable contexts.
Although this system (and the Safe Harbor Decision 2000/520) survived for over a decade, warning signals were evident in late November 2013 when concerns were raised about the existence of a number of surveillance programs in the United States that involved large-scale collection and processing of personal data and the impact that these programs were having on individual privacy rights. One major concern was that many of the almost 3250 companies certified under this system (including major companies like Google, Facebook, Microsoft, Apple, and Yahoo) processed the data of their employees in Europe and then transferred that data to the U.S. for human resources purposes, where that data was subject to much greater privacy intrusions that which, it was alleged, were not strictly necessary and proportionate to the protection of any national security objectives. Similar concerns were raised about these companies transferring and processing the personal data of their hundreds of millions of clients in the U.S. An additional concern was that, while U.S. citizens might have some recourse for these alleged surveillance-based privacy violations, there appeared to be little-to-no opportunities for E.U. personal data subjects to obtain access, rectification or erasure of data, or administrative or judicial redress for any collection or further processing of their personal data taking place under the surveillance programs run by the United States government. Ultimately, these concerns were the catalyst for the dispute, and ultimate decision, in Schrems.
The Dispute and Subsequent ECJ Decision in Schrems
Mr. Schrems (an Austrian national) entered into a contract with Facebook Ireland Ltd. upon registering his Facebook account in 2008. Some or all the personal data of Facebook Ireland Ltd.’s users who reside in the European Union is transferred to servers belonging to Facebook Inc., which are located in the United States where that data undergoes processing. After revelations were made public by Edward Snowden in 2013 about the purported activities of U.S. intelligence services, in particular the National Security Agency, Schrems filed a complaint with the Irish Data Protection Commissioner requesting that the Commissioner exercise statutory powers to prohibit any transfer of his personal data to the U.S. This complaint was rejected by the Commissioner on the basis that there was (1) no evidence that his personal data had been accessed by the National Security Agency, and (2) any question about the adequacy of data protection in the U.S. had to be determined in accordance with the Safe Harbor Decision 2000/520, where the Commission had found that the United States ensured an adequate level of protection. This was not the end of the matter.
Mr. Schrems brought an action before the High Court of Ireland challenging this decision. The High Court found that the electronic surveillance and interception of personal data transferred from the E.U. to the U.S. serve necessary and indispensable objectives in the public interest. Yet, the High Court emphasized that the revelations made by Edward Snowden demonstrated significant over-reach on the part of the National Security Agency and other United States agencies. The High Court also stressed that under the Irish Constitution, interferences with fundamental rights and freedoms, including the right to privacy, must be proportional and in accordance with the law. The High Court noted that mass/undifferentiated accessing of personal information was contrary to both this principle and the Irish Constitution. Furthermore, the High Court expressed concern that E.U. citizens appear to have no effective right to be heard in the U.S. about how their personal data is used. Given these concerns, while the High Court ultimately concluded that the Commissioner should have investigated the matters raised by Mr. Schrems, the Court nonetheless noted that this was a matter of European Union law that should be referred to the ECJ for a specific ruling on whether the Commissioner was bound by the finding in the Safe Harbor Decision 2000/520.
On October 6, 2015, the Grand Chamber of the ECJ held that the Safe Harbor Decision 2000/520 is invalid and that the supervisory authority of any Member State can examine the claim of a person concerning the protection of their rights in regard to the processing of personal data which has been transferred to another country when that person contends that the law and practices in force in that country do not ensure an adequate level of protection. The two main justifications for this decision were that U.S. surveillance measures went beyond what was strictly necessary and proportionate to the protection of national security and that data subjects had no administrative or judicial means of redress enabling the data relating to them to be accessed and rectified or erased. In reaching this conclusion, the ECJ noted that it focused solely on the invalidity of the provisions in the Safe Harbor Decision 2000/520, and did not need to examine the content of the Safe Harbor Privacy Principles. Irrespective of this apparent limitation on the Court’s ruling (which was likely intended to soften any political impact by striking a European Commission decision rather than a politically-negotiated set of principles), it is hard to see how the current version of the Safe Harbor Privacy Principles will withstand the same arguments that killed the Safe Harbor Decision 2000/520.
Recent Reactions to Schrems
There has not yet been any subsequent decision on the merits of Mr. Schrems’ arguments. Nonetheless, the immediate aftermath of the Schrems decision was chaotic with many major companies scrambling to react to the invalidation of the Safe Harbor Decision 2000/520.
Since the Court’s ruling in October 2015, there has been increased debate about not just the renegotiation of the Safe Harbor Privacy Principles, but also, data protection reform both across the E.U. and between the E.U. and the U.S. The Court’s decision has impacted the ongoing negotiations between the E.U. and the U.S. government regarding reform of the Safe Harbor Privacy Principles that have been ongoing since 2013, well before the decision in Schrems, and are just one important part of the regulatory reform being proposed. Notably, the most recent development came in mid-December 2015, when E.U. officials reached final agreement on a new uniform data protection regulation that will replace the existing Data Protection Directive (that has been implemented in Member States via a patchwork of national privacy laws) and subject multinational companies to significant fines: namely the greater of four percent of their annual global turnover or 20 million Euros.
It is worth noting that this new regulation will not take effect until two years after the proposal is finally adopted by the European Parliament and Council (which is expected to occur in early 2016). Furthermore, despite the strict penalties that have been included in the new regulation, the proposed regulation has been viewed favorably by businesses in Europe because it purports to usher in a more streamlined and predictable approach to regulation where companies can simply deal with a single supervisory authority. Notwithstanding these efforts, given the structure of the European Union, enforcement of harmonized rules will likely be left to national agencies operating under amended national laws, so complete harmonization might not occur.
In addition to this larger regulatory reform proposal, the body responsible for monitoring data privacy, the Article 29 Working Party, had announced that if by February 1, 2016 no appropriate solution was found with U.S. authorities, national data protection authorities would be forced to take all necessary action, including potential coordinated enforcement action. While that deadline was missed, a new trans-Atlantic data transfer pact (the “E.U.-U.S. Privacy Shield”) was announced on February 2, 2016. As of the writing of this article, although American and European negotiators have not released specific details concerning the E.U.-U.S. Privacy Shield for political approval, they have confirmed that this pact will: include stronger oversight of companies’ compliance (including enforcement efforts by European Data Protection Agencies, the U.S. Department of Commerce, and the U.S. Federal Trade Commission); include guarantees from the U.S. that access to data concerning E.U. citizens will be subject to clear safeguards and limitations (including limits on mass access to personal data for national security purposes); and provide E.U. citizens with better forms of redress (including the creation of a new Ombudsman and other forms of ADR to assist with individual complaints and inquiries).
This announcement will likely delay the kinds of investigations, legal proceedings, and/or fines against companies that fail to comply with the current patchwork data privacy requirements across Member States, which had been threatened by European data-regulators if a pact was not reached by February 1, 2016. However, even though a deal has been struck, its legality will still likely be subject to the scrutiny of the same European data-privacy regulators.
Despite the concerns raised about over-reach of national surveillance measures, it remains to be seen whether recent terrorist activity will slow some of the momentum behind these data privacy developments and reforms. Much criticism of the Schrems decision focuses on the counterarguments that (1) data protection in the U.S. and across Member States is substantively equivalent; and (2) that many Member States enforce just as broad national security data monitoring programs as those U.S. measures that caused concerns in Schrems. There is no doubt that any negotiations moving forward will focus on how to strike a better balance between privacy rights and national security objectives, so that concerns about proportionality and over-reach of government surveillance can be addressed.
Implications for Clients
The ruling in Schrems, and both the political and regulatory reactions to this ruling, have already had, and will continue to have, direct consequences for businesses transferring personal data to the U.S. or outsourcing the processing of personal data to the U.S. Many companies have already used the ruling in Schrems as a catalyst to review policies and procedures relating to the transfer and processing of personal data to locations beyond the E.U. and are closely following updates from not just the European Commission, but also, announcements from national data protection authorities in the Member States and overseas regulators, especially those in the U.S. Furthermore, European data-protection officials have issued warnings that the practices of American businesses, especially technology companies that deal with large amounts of personal and employee data, will come under much closer scrutiny and regulatory oversight in each Member State. These efforts might have even wider implications, whereby companies in Member States, like Germany, might try to invoke data privacy concerns as a basis for objecting to production of internal personal emails in U.S. litigation.
While further clarification from regulators is pending, companies have been taking a number of risk management steps, including: (1) review of current data flows of personal data; (2) analysis of how to limit the amount of personal data that is transferred/processed in the U.S.; (3) analysis of the personal data, if any, that must be transferred/processed in the U.S.; (4) review of contracts with vendors that rely upon Safe Harbor certification; and (5) analysis of local data privacy requirements in each country where personal data is currently being transferred or processed. There was concern that some of these efforts might amount to an attempt to hit a moving target given that national authorities could, at least for the time being, respond to the decision in Schrems in an idiosyncratic manner, creating a patchwork of enforcement risks while any subsequent action from the European Commission is pending. To address this risk, the Commission issued a Communication on November 6, 2015, reiterating the Article 29 Working Party’s conclusion that while data transfers can no longer be based on the invalidated Safe Harbor Decision 2000/520, standard contractual clauses and binding corporate rules can be used as an interim basis for data transfers.
As such, in addition to the above-cited risk management measures, companies have also been utilizing other mechanisms for international transfers of personal data permissible under European Union data protection laws, such as model contract clauses (approved by the European Commission), binding corporate rules, and approvals from national supervisory authorities. However, it should be noted that achieving compliance is not as simple as obtaining consent from each individual data subject by contract, especially in the context of employee personal data, because a number of Member States have held that employee consent cannot be freely given via an employment contract. There is even some concern about the use of model contract clauses that have been approved by the European Commission given that such approval may have been based upon the presumption of the validity of the now invalid Safe Harbor Decision 2000/520, and thus subject to legal challenges. By contrast, obtaining regulatory approval, whether in the form of specific approvals or the approval of binding corporate rules, can create greater certainty for companies, but such measures can come at the cost of significant delays.
Given the uncertainty and risk that will continue to accompany transfers and processing of personal data between Europe and the United States, and the significant fine exposure that is likely to be enforced in the future against companies that do not take sufficient precautionary action, it is prudent to obtain counsel from a law firm with specific expertise in dealing with data privacy regulators on both sides of the Atlantic.