EU-US Data ‘Safe Harbor’ Hit by Legal Tsunami

Many businesses depend on ‘safe harbor’, a concept which says that US firms must be complying with EU data protection law if they say they comply with it, despite the fact that US data protection law is nothing like EU law. Even if you know nothing more about safe harbor, sharp eyed risk analysts amongst you will have already identified its key weakness. However, because so much money depends on the transfer of personal data between EU citizens and US corporations, the flaw with safe harbor has been ignored by everybody – except for a few dogged privacy campaigners. Those campaigners look like they might be on the brink of an extraordinary victory, thanks to a preliminary opinion issued by a lawyer working for the Court of Justice of the European Union (CJEU).

Neither politicians, nor businessmen wanted to rock this boat, and it takes time and money to pursue a legal case that strikes at the heart of EU law and power. However, Austrian Max Schrems and his ‘Europe versus Facebook’ campaign have spent years seeking legal confirmation that Facebook, and other US businesses, violate the rights of EU citizens. (If you want a full run-down of the relevant laws and about Schrems’ campaign, then read my previous article about safe harbor.) Schrems is now on the verge of a major breakthrough, after CJEU Advocate General Yves Bot reached a preliminary decision that, if endorsed by CJEU judges, will finally force everybody to take responsibility for the biggest-problem-in-international-data-transfer-and-management-that-everybody-wants-to-pretend-is-somebody-else’s-problem.

Put simply, Bot concluded that even if the European Commission says the USA is a country where nobody ever breaks EU laws, and that no US citizen is capable of telling a lie, and the USA is a place where unicorns dance with fairies to the sound of harpsichord music, then that does not make it so. (I exaggerate a little; he said nothing about unicorns, but you take my point.) So even though the European Commission says that no national data protection authority in Europe has to check whether the USA is the kind of place where EU laws might get broken, the judge said those data protection authorities have a legal obligation to protect their citizens, and they cannot do that by just trusting American processors of data will always comply with EU law. This is how the CJEU press release worded that part of the decision:

In today’s Opinion, Advocate General Yves Bot takes the view that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the national supervisory authorities’ powers under the directive on the processing of personal data.

Advocate General Bot then went one step further. He did not just say the data protection authorities should actually do the job that taxpayers pay them to do. Bot proceeded to do their job for them. He looked at the actual situation in the USA, and concluded that mass surveillance conducted in the USA means EU laws will be broken when the personal data of EU citizens is transferred to the USA. In other words, he took the core principle of safe harbor, and smashed a tsunami of human rights against it. In the words of the CJEU:

It is apparent… that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection…

The Advocate General considers furthermore that the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data… Likewise, the inability of citizens of the EU to be heard on the question of the surveillance and interception of their data in the United States amounts… to an interference with the right of EU citizens… to an effective remedy.

According to the Advocate General, that interference with fundamental rights is contrary to the principle of proportionality, in particular because the surveillance carried out by the United States intelligence services is mass, indiscriminate surveillance.

This is not the end of the argument. Bot’s opinion is not final. He has given his recommendation, but now the CJEU judges will need to deliberate. However, Bot has let the genie out of the bottle. When it comes to data protection in the USA, the EU has spent years looking the other way. Now that Bot has plainly stated what the problems are, and pointed at the areas where US law and the behavior of the US government clearly contradicts EU law, it would take a masterful effort for other lawyers to preserve the safe harbor. Safe harbor has lasted this long because of delaying tactics and evasion, not because of a proper examination of its merits. Bot’s analysis points out what European politicians should have appreciated all along: that safe harbor was a sham. In fact, Bot directly accuses the European Commission on this point.

… according to the Advocate General the Commission ought to have suspended the application of the decision [i.e. safe harbor] even though it is currently conducting negotiations with the United States in order to put an end to the shortcomings found. The Advocate General indeed observes that, if the Commission decided to enter into negotiations with the United States, that is because it considered beforehand that the level of protection ensured by that third country, under the safe harbor scheme, was no longer adequate and that the decision adopted in 2000 was no longer adapted to the reality of the situation.

Maybe the European Commission will succeed in negotiating a successor to safe harbor, and maybe they will delay and fudge timelines so that everybody keeps doing what they are currently doing, without needing to make necessary change. However, the problem faced by the Commission is unchanged from that they faced when they originally adopted safe harbor. The reason safe harbor does not work is because the USA is a rich and powerful country, and they do not need to kowtow to any and every European regulation. US firms want to trade and process the data of EU citizens, but not at any cost. And the US government has its own ideas about who has a right to what data, in the interests of national security.

There is a massive gulf between expectations in the USA and the lofty principles adopted by the EU. Many European governments have failed to comply with their EU-driven data protection laws, so why should the USA strive to uphold them? The EU’s rules were built on a foundation of ambitious abstract ideals, not on pragmatism and experience. That is why they are repeatedly violated, and poorly enforced. The truth is the USA will not bow to the EU. That creates a terrible tension for politicians who do not want to admit the ‘protection’ afforded by EU law can only survive because they rarely seek to enforce those laws, even inside the EU.

Consider the recent news that Volkswagen cheated on emissions tests for cars sold in the USA. A big European business, with a lot of money at stake, went to a lot of trouble to hoodwink American regulators, even though they complied with emissions rules in the EU. Now consider that over 4,000 American organizations currently self-certify their compliance with EU data protection law. No regulator has ever audited their compliance. No European data protection authority has questioned a single registration. The organizations were added to the list without needing to pass a single test. And when it comes to the transfer and processing of personal data, there is a lot of money at stake. If we can believe that Volkswagen would take such an enormous risk when lying to American regulators, what makes us think that not a single American business would be willing to lie about their compliance with EU law, given they face no risk and no penalty for doing so?

Safe harbor is a mess, and the fault lies entirely with European politicians who want to promise they can protect their citizens, even when they cannot. Resolving the mess may involve extraordinary consequences, including a massive class action lawsuit against businesses like Facebook, the interruption of data flows between Europe and the USA, and costly restructuring of data centers and organizational relationships in multinational tech firms like Google and Microsoft. Though very many people want to continue with business as usual, that is an outcome that looks increasingly unlikely.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Director of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.