As previously predicted on Commsrisk, the Court of Justice of the European Union (CJEU) yesterday ruled that the EU-US ‘safe harbor’ arrangement is invalid, with immediate effect. The concept of safe harbor allows US firms to self-certify compliance with EU data protection law. Without it, US firms will need to go through a more rigorous process to demonstrate they are fit to receive and process personal data relating to EU citizens.
To put it simply, this is a BIG DEAL. The EU has always applied a two-tier, chauvinistic approach when protecting the personal data of its citizens. From the moment the EU first considered introducing data protection legislation, it was obvious the rules would be fatally flawed if they allowed organizations to work around them by transmitting data outside the EU. The solution was simple: if you shipped data overseas, you were responsible for putting in place contracts and controls that force the organization receiving the data to comply with EU rules. So if the receiving party is in Brazil, or India, they must be made to jump through lots of hoops to prove they will process the data like firms in Germany or Spain. However, this standard was never applied to the USA, despite – or rather because – so much European data is processed there.
The safe harbor deal with the US Federal Trade Commission (FTC) spared American firms a lot of trouble. It was assumed that they all followed the rules, if they said so. Striking down safe harbor means the 4,500 US businesses currently listed as depending on safe harbor will no longer receive preferential treatment. It also means the organizations inside the EU who choose to send data to American businesses are breaking the law unless they can independently show compliance with EU rules.
The CJEU’s decision is a victory for common sense. Since 2001, the European Commission has pretended that Americans are intrinsically more honest than people living in other countries. European data protection authorities have gone along with this pretense. Even if the statistics showed that Americans are more likely to abide by EU rules, it does not follow that one person’s data is safe just because Americans are generally reliable. It would be ridiculous to suggest that there is not a single crooked employee amongst 4,500 American businesses. But if an EU rule was broken by a US firm, the victims in the EU had no legal right of redress. This made a mockery of the idealistic principles which are the basis of European data protection regulation.
In reaching their decision, the CJEU has followed the recommendations of one of their advising lawyers, Advocate General Yves Bot (you can find our report on AG Bot’s preliminary advice here). If anything, the full court has been even more brutal when finding fault with the safe harbor agreement. The official judgment includes two key decisions, the first of which relates to needing to properly check if US firms comply with EU rules.
…[if] the Commission finds that a third country ensures an adequate level of protection, [that] does not prevent a supervisory authority of a Member State [in other words, a national data protection authority]… from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.
In other words, if an EU citizen has reason to believe his data is not protected in the way required by EU law, the relevant national data protection authority must pull its finger out of its backside and actually check how well the data is being protected.
The second part of the court’s decision was a slap in the face for the European Commission, who were responsible for negotiating the safe harbor agreement with the FTC.
…the Commission did not state, in Decision 2000/520 [the safe harbor agreement] that the United States in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments.
Consequently, without there being any need to examine the content of the safe harbour principles, it is to be concluded that Article 1 of Decision 2000/520 fails to comply with the requirements laid down in Article 25(6) of Directive 95/46 [i.e. the Commission’s legal right to decide if a non-EU country has a legal data protection regime equivalent to that in the EU]… and that it is accordingly invalid.
They also said that the European Commission had wrongly taken away the power for national data protection authorities to do their job.
The first subparagraph of Article 3(1) of Decision 2000/520 must… be understood as denying the national supervisory authorities the powers which they derive from Article 28 of Directive 95/46, where a person, in bringing a claim under that provision, puts forward matters that may call into question whether a Commission decision that has found, on the basis of Article 25(6) of the directive, that a third country ensures an adequate level of protection is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals.
The implementing power granted by the EU legislature to the Commission in Article 25(6) of Directive 95/46 does not confer upon it competence to restrict the national supervisory authorities’ powers referred to in the previous paragraph of the present judgment.
That being so, it must be held that, in adopting Article 3 of Decision 2000/520, the Commission exceeded the power which is conferred upon it in Article 25(6) of Directive 95/46, read in the light of the Charter, and that Article 3 of the decision is therefore invalid.
And if major parts of the safe harbor deal were invalid, then the whole thing is invalid.
As Articles 1 and 3 of Decision 2000/520 are inseparable from Articles 2 and 4 of that decision and the annexes thereto, their invalidity affects the validity of the decision in its entirety.
Having regard to all the foregoing considerations, it is to be concluded that Decision 2000/520 is invalid.
Privacy campaigners should celebrate their victory. However, their battle is not won yet. The reaction of many businesses, journalists and lawyers indicates they will ignore the main thrust of the arguments made by privacy campaigners. Some will choose to dismiss the essential purpose of data protection, and to focus on paperwork instead. For example, British legal firm Allen & Overy are giving this advice to their clients:
This decision will result in significant inconvenience to businesses in the short term, both for EU and U.S. entities.
European entities that transfer personal data from the EU to the U.S. on the basis of Safe Harbor will quickly have to find an alternative way to legitimise the transfer. The ICO [The Information Commissioner i.e. the UK’s data protection authority]… recognises that it will take businesses “some time” to review how they ensure that data is transferred to the U.S. in line with the law, and the Commission in their press conference offered their support.
Notice the line of thinking adopted here: whatever you are currently doing is fine, but you might need to go to some effort to show it is fine. It seemingly does not occur to them to that the real problem with safe harbor was that nobody was checking if the rules were being complied with! Hence, it is perfectly possible that not everything is as fine as people would like to pretend. However, like lawyers often do, their preferred solution involves putting many more legal agreements in place. If data protection is just a matter of having a lot of signed paperwork, then we ignore whether the actual data is being protected!
I hope this judgment, which arrives 15 years later than it should, forces many big businesses to stop treating data protection as an exercise in filling forms, instead of doing the hard work to truly secure personal data. If these firms spent less money on lawyers, and more on security and operations, they might suffer fewer data breaches.
The CJEU recognized some basic, indisputable facts, such as the obvious truth that US firms are subject to US law, and that US law does not protect the privacy of EU citizens because of its overriding interest in US national security and law enforcement. It is very hard to see how the US government can resolve this clash. American politicians do not just endorse the mass surveillance of citizens of foreign countries, they also endorse the mass surveillance of their own citizens! However, such surveillance conflicts with the privacy rights of EU citizens.
It is to the credit of the CJEU that their judges live in the real world when so many politicians, lawyers and businessmen refuse to do so. The CJEU cited US surveillance as one key reason for its ruling. Their summary explicitly referred to Edward Snowden’s revelations about the NSA, and how it harvested private data from tech companies like Apple, Facebook, and Google.
Some other work is taking place to align EU data protection requirements with current practice in the USA. For example, the US congress is working on a bill that would give Europeans a legal right to redress, if their data is abused. However, such changes are tinkering around the edges. The core issue of surveillance – which includes snooping upon personal data – must now be dealt with.
From my perspective, businesses have one of two choices. They can continue to hide behind lawyers as a relatively cheap way to delay the inevitable day of reckoning. That might cost less, but it does no real good for anyone. Legal obfuscation is no way to address real moral responsibilities, and customers will have a suitably cynical opinion of businesses that do not protect their interests. The alternative is that businesses accept the plain truth, and recognize that US surveillance is in conflict with the rights of EU citizens. The only way to address this conflict is to protect personal data in such a way that it cannot be spied upon, by using hard encryption. To their credit, companies like Apple have shown they will defy US authorities by encrypting data. It seems to me that any business that wants to have a clear conscience when dealing with EU customers must now do the same, by ensuring personal data is encrypted using methods that cannot be cracked by government spies.