This week heralded some very big news: the European Court of Justice (ECJ) ruled that the EU-US Safe Harbor was invalid for failing to satisfy EU privacy laws. Suffice it to say, this is a big deal. I’ve discussed the Safe Harbor briefly in the past, but in short, it was a compromise between EU and US privacy laws that helped keep our international system running smoothly, at least for major multinational corporations like Facebook and Google. Invalidating the Safe Harbor certainly will upset the apple cart, and the ECJ opinion may have serious lasting consequences, so let’s dive in.
To start, it is important to recognize that the European Union has far stricter privacy laws than here in the US. The most important of these laws is the EU Data Protection Directive (DPD), an EU-wide mandate that all EU member states must enact legislation satisfying certain basic privacy standards with regard to personal data. I discussed this briefly elsewhere, but the important takeaways are that EU citizens are given privacy rights for their personal data, and corporations face pretty heavy restrictions on what they can do with that data. One of these restrictions is that data on an EU citizen cannot be transferred to a country that does not meet the DPD’s standard of “adequacy.” “Adequacy” is undefined, but generally means the equivalent of the rights guaranteed by the DPD. The EU wants to guarantee certain rights, and it doesn’t want those rights to be infringed simply by sending data overseas.
The problem with this framework is that US laws were unlikely to meet the DPD’s standard of adequacy, and the US was and is still the single largest data processor in the world. (Not to mention the home to Silicon Valley, the tech capital of the world.) Prohibiting data transfer to the US seemed fundamentally unworkable, particularly at the time, so a compromise was inevitable.
This compromise was the Safe Harbor, which allowed for companies to self-certify that they would meet the adequacy standard, and thereby allow those companies to transfer data to the US without violating EU privacy laws. Companies self-certifying adequacy would therefore hold themselves to a more stringent standard than US law required, and be able to resume the unrestricted data transfer that made the Internet so successful. While this probably strikes many as a low regulatory bar (self-certifying “adequacy” hardly sounds like strong oversight), it nonetheless harmonized these disparate legal regimes and allowed for multinational corporations to continue business as usual, and has been the law since 2000. (I will note, an update was in the works prior to this decision.)
So what changed? In short, Snowden. The revelation of the extent of US surveillance capabilities shocked the world, and raised thorny questions about whether any company operating in the US could also meet the EU’s privacy standards. This led an Austrian civil-liberties advocate to challenge the data transfers of Facebook, and by proxy, all multinational tech companies (which you’ll recall, are mostly based in Ireland), and after some procedural hurdles, the question reached the ECJ, which held that US surveillance practices were irreconcilable with EU privacy laws, and that the Safe Harbor was therefore invalid. While the current response to the ruling seems to be a nervous “business as usual,” the long term effects are harder to anticipate.
The ECJ opinion appears to have two primary challenges to the current Safe Harbor framework: 1. US bulk collection of personal data violates the fundamental right to privacy of EU citizens (the privacy argument); and 2. EU citizens were not afforded an opportunity to challenge US laws affecting their personal data, infringing their fundamental right to judicial protection (the rule of law argument). On top of these two substantive challenges to US law, the opinion generally casts doubt as to the legality of any Safe Harbor agreement with a country whose laws have not been deemed “adequate.”
Schrems v. Data Protection Commissioner
I’ll start with the privacy argument. While clearly targeted at US bulk collection programs like PRISM, the ECJ may be casting an indictment of US law generally. The opinion decries “generalized” data storage by a foreign government, particularly when it does so without any “objective criteria being specified as to the extent of the data’s use.” Basically, collecting everyone’s data without any individualization violates the EU citizens’ right to privacy. Yet it is unclear how far this ruling goes. Put another way, how far must the US go in order to satisfy this legal requirement? Is it sufficient to disband the bulk collection programs, or must the US specifically outlaw any bulk collection program whatsoever? After all, many of these programs (though not all) were made explicitly illegal by the USA Freedom Act, passed prior to the ECJ ruling. Is the ECJ’s challenge to the mere potential for the US to conduct bulk collection? This would create a fairly substantial hurdle for the US in attempting to create a new Safe Harbor.
The rule of law argument, however, presents a much less certain, and potentially more problematic grounds for invalidating the Safe Harbor. This argument primarily relates to standing, as non-US persons do not have a right to challenge US laws unless Congress explicitly says they do. By citing this lack of standing as a basis for invalidating the Safe Harbor, the ECJ appears to be mandating that EU citizens be granted standing to sue (albeit in a limited fashion) in any country where their personal data may be transferred. The DPD grants the right to access, correct, and erase information about themselves, and any country’s legislation that doesn’t provide this right to EU citizens wouldn’t comport with the DPD. I’m not sure if this can be reconciled with US jurisprudence on national security surveillance, as often even US citizens have difficulty establishing standing, so a clear right to challenge US surveillance for EU citizens seems highly unlikely.
But perhaps more fundamentally, the principles the ECJ espouses seem to undercut the very notion of a “safe harbor,” as the ECJ opinion strongly implies that any Safe Harbor agreement cannot be authorized by the DPD. The DPD allows for data to be sent to foreign nations only if that nation’s privacy laws are deemed “adequate,” whereas the point of the Safe Harbor was to allow for the transfer to the US even though US law wasn’t deemed adequate. Even though companies could self-certify adequacy, they would still be subject to US laws which might conflict with the EU privacy rights. (Indeed the Safe Harbor has an entire section confirming this to be true.) Based on this ruling, any Safe Harbor agreement with a country with “inadequate” legal protections will be invalid, regardless of private sector self-certification.
I should note, this case struck me as very messy. A good deal of the opinion is devoted to determining purely procedural issues, as the EU system is both very complex and relatively new. The EU has an EU-wide Data Protection Commission, which drafted the Safe Harbor on the EU side, but each individual EU member state has its own Data Protection Commissioner, which can also determine adequacy. But a determination of adequacy by the Commission is binding on each individual member-state, so although those states are still allowed to assess adequacy, they cannot invalidate a determination by the Commission. This is an odd arrangement. (It appears to be purely for appeals, essentially requiring the lower court to agree with you that a precedent is wrong in order to reach the higher court.) But the practical takeaways are that although the ECJ invalidated the Safe Harbor, this still leaves the possibility that either the Irish DPC or the EU DPC could determine that the US is in fact adequate. While possible, this seems unlikely.
So what might a new Safe Harbor look like, assuming a Safe Harbor is even possible? This case is problematic, but probably not fatal for the concept of a Safe Harbor. The solution appears to be that a Safe Harbor needs to still explicitly acknowledge that US law is “adequate.” Therefore, I suspect that the next Safe Harbor will involve some legal chicanery, where US law is deemed adequate, but the Safe Harbor still restricts data transfers to only those companies that self-certify to the adequacy standards laid out in the previous Safe Harbor. This would be a change in form more than substance, although it may also come with certain concessions on the part of the US regarding bulk collection and EU-citizen standing. The US is already moving away from bulk collection, so whether this is explicit or implicit will be interesting to see. And I should note, this entire issue may ultimately be moot soon anyways, as the EU is currently finalizing an EU-wide General Data Protection Regulation, which will override the DPD, and may more directly address the issue of data transfers to the US. Time will tell.
Return to territoriality
Moving away from the specifics of this case, I’d like to briefly discuss the underlying problem that is making these issues increasingly common: territoriality. I’ve discussed this issue previously, and this case is in some ways indicative of how the EU is similar to the US in pushing against territoriality when it comes to regulating the Internet and multinational corporations. By manipulating jurisdiction over multinational corporations, countries can exert powerful international influence, and these competing influences are often in conflict. The US conception of free speech often clashes with the EU conception of individual privacy, and the battle for these competing values is occurring through these shared mediums. Each is empowered through territoriality to exert influence over entities within their sovereign borders, but the potential for these territorial applications to have extraterritorial effects is making the distinction somewhat nonsensical.
In some ways the EU data transfer restriction are a poor example. While they invariably negatively impact multinational companies, data transfer restrictions are nonetheless firmly routed in territoriality, attempting to keep data within your territory to ensure your regulations apply. But current discussions in the EU are adopting much broader ideas for what data the EU can regulate, and the draft General Data Protection Regulation is asserting the EU right to regulate any data relating to an EU person, no matter where it is stored or where it originated. And other recent EU decisions like the right to be forgotten, the EU antitrust cases, and the various responses to US surveillance practices all show the EU pushing its own domestic agendas in opposition to prevailing US policies, particularly with regard to the Internet.
Each of these disputes is ultimately driving at the same question: how do we govern the Internet in a global system? When the US wants to be able to access data stored abroad by domestic companies, and the EU wants to deny access, even abroad, relating to EU citizens, how do we reconcile these? The Googles and Facebooks of the world are frequently being forced to play that intermediary, crafting a middle way for a huge swathe of the international community; such substantial determinations really deserve more substantial proceedings, and a more comprehensive international agreement is long overdo.
Until next time