US-EU Safe Harbor decision raises uncertainty, data privacy concerns

By Erin Ayers on October 8, 2015

The U.S.-EU Safe Harbor agreement, used since 2000 by multinational companies for legally transferring data owned by European Union citizens to the U.S., is invalid, due to the determination by the EU’s Court of Justice that the United States may provide government access to private citizen data.

Privacy experts say that the decision thrusts businesses that rely upon the Safe Harbor to move data freely around the globe into a state of uncertainty, with the possibility of examinations of company privacy practices, potential lawsuits, and added costs of developing alternatives to the agreement.

In the case decided this week by the European Union’s highest court, a Facebook user and Austrian citizen, Maximillian Schrems, objected to the transferal of his data to the U.S. servers via Facebook’s Irish subsidiary and asked Ireland’s data protection commissioner to block the transaction following revelations about the U.S. National Security Agency’s (NSA) spying program, as divulged by Edward Snowden. The Irish official requested a ruling from the EU’s Court of Justice whether the Safe Harbor agreement, which allows for the transference of data to a third-party country that provides reasonable protection of data in its laws and practices and which was promulgated in 2000 by the European Commission, is still valid.

According to the EU’s Court of Justice, the Safe Harbor provision is no longer valid. The Court directed the Irish commissioner to fully investigate the claim and verify that the U.S. data protection laws meet those required for safeguarding EU citizens’ data.

The decision now gives all EU members the power to determine whether U.S. data protection laws (or the laws in any other country) meet or exceed the laws and protections governing data relating to EU member country citizens.

“Given the decision, adherence to the Safe Harbor is no longer sufficient to ensure the legitimacy of transfers of personal data from the EU to the US,” commented the law firm of Goodwin Proctor in a client alert. “Although this leaves any entity that relied solely on Safe Harbor exposed to possible claims that its data transfers are unlawful, we expect many regulators to allow companies some time to reorganize their programs and implement alternatives. Companies thus should promptly evaluate, identify, and prioritize data transfers for which they relied on the Safe Harbor, and should identify alternative or additional compliance mechanisms. Companies also should be prepared for less leeway in countries, such as Germany, where the Safe Harbor has long been subject to scrutiny.”

Questions quickly arose over how the change will affect the approximately 4,500 organizations that use their compliance with the Safe Harbor guidance as permission to transfer data – as well as the impact on Europe’s financial landscape.

“There’s a recognition that the Atlantic data transfer really impacts a tremendously large piece of the European economy,” said Randi Singer, partner with Weil, Gotshal & Manges LLP. “It’s much more than a shot across the bow, but this decision has not brought the European economy to a screeching halt. We didn’t wake up this morning and see a rash of lawsuits and complaints yet.”

She added, “The real impact is on the smaller companies and mid-size companies that have a lot of information but information isn’t their stock in trade.”

Large tech companies such as Facebook and Apple were said to be “prepared” for the ECJ to rule as it did, and several issued statements about their plans for the future.

Effect on Citizens

Schrems, the plaintiff in the case, issued a statement on his website, saying, “I very much welcome the judgement of the Court, which will hopefully be a milestone when it comes to online privacy. This judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible.”

Schrems and his legal team also speculated that Facebook users in Europe likely wouldn’t see any changes immediately, but legislation and negotiations between the U.S. and the EU could occur.

“The European Commission and the U.S. government may be able to remedy the situation. It’s clear from the judgment, that a solution will very likely require severe changes in U.S. law and more than just an update to the current ‘safe harbor’ system. Otherwise full compliance with EU fundamental rights and the judgment will be very hard to achieve,” said Schrems.

EC Response

EC Commissioner Vera Journova commented on the decision by saying, “We have three priorities: First, we have to guarantee that EU citizens’ data are protected by sufficient safeguards when they are transferred. Then, it is important that transatlantic data flows can continue, as they are the backbone of our economy. Finally, we will work together with the national data protection authorities to ensure a coordinated response on alternative ways to transfer data. This is important for European businesses.”

Journova acknowledged that regulators have been eyeing a change to Safe Harbor for some time. She commented, “Let me remind you that following the Snowden revelations in 2013, the Commission had identified the shortcomings of the Safe Harbor arrangement and had made 13 concrete recommendations on how to make the Safe Harbor safer. This has been acknowledged by the Court ruling. Since 2013, we’ve been working relentlessly with the American authorities to revise the Safe Harbor. And we have made important progress that we can now build on in light of the judgment.”

erin.ayers@zywave.com'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].