That awful grinding noise you heard on October 6th was the gears seizing up in the legal machinery governing transatlantic data flows. The European Court of Justice threw one heck of a wrench into the works when it issued a judgment declaring that the Safe Harbor Privacy Principles followed by US companies that handle information concerning EU citizens are invalid. Lots of companies’ practices may now violate EU law, and those companies may now face inquiries from data protection authorities from multiple EU member states.
What Is The Safe Harbor?
A bit of background for those unfamiliar with the Safe Harbor: The EU has laws that provide strong protections for citizens’ privacy. Companies may only transfer data on EU citizens to countries that provide an “adequate” level of privacy protection. The EU has determined that US law does not provide adequate protection.
To facilitate data flows across the Atlantic and to ensure that US companies provide an adequate level of privacy protection, the US Department of Commerce negotiated the Safe Harbor agreement with the EU to specify privacy principles that companies can choose to follow in order to comply with EU law. The Safe Harbor applied to data of citizens of European Economic Area countries (the 28 EU member states as well as Iceland, Liechtenstein and Norway). Over 5,400 companies self-certified to the Commerce Department that they comply with the Safe Harbor.
Why The Safe Harbor Is No Longer Safe
So, how did all this get started? Max Schrems.
Max is an Austrian law student currently working on his PhD. In 2011 he studied at Santa Clara University in Silicon Valley, California. There he heard a lecture by Facebook privacy lawyer Ed Palmieri. Schrems was surprised by Mr. Palmieri’s apparent lack of understanding of EU privacy law. Schrems then decided he would research how Facebook handled information about EU citizens and whether the company complies with EU law.
Max didn’t like what he found. Schrems exercised his right under EU law to obtain all the information Facebook has about him. He made a request to the Irish Data Protection Commissioner (Facebook’s European headquarters is in Ireland) and received a cd with over 1200 pages of information. (Facebook reportedly collects a lot of information about its users. Max’s research seems to support that.)
Schrems then filed a complaint with the Irish Data Protection Commissioner (IDPC). The IDPC rejected the complaint because Facebook complied with the Safe Harbor Privacy Principles and therefore had not violated EU law. Schrems then took his case to the Irish High Court which referred the matter to the European Court of Justice (ECJ).
On October 6, 2015 the ECJ ruled that EU decisions implementing agreements such as the Safe Harbor agreement do not prevent data protection authorities in member states from examining claims by individuals like Max Schrems. More importantly though, the ECJ ruled that the Safe Harbor is invalid.
The court found that European Commission failed to determine that the US in fact provides adequate privacy protections, and that the Safe Harbor therefore is not (and presumably never was) valid. The decision appears to be based on the conclusion that US law does not adequately protect privacy rights because, as the court stated in its press release, the “United States safe harbour scheme . . . enables interference, by United States public authorities, with the fundamental rights of persons.” This conclusion stems from the revelations by Edward Snowden concerning surveillance of EU citizens by the US National Security Agency.
What Happens Now? Keep Calm and Carry On
The ECJ’s ruling unquestionably is a blow to companies that use the Safe Harbor. At a minimum, the ruling will force companies to adopt a different approach to complying with EU data protection laws. Fortunately, different methods are available.
Companies can include model clauses in contracts between the European data controllers, such as Facebook in Ireland, and data recipients outside the EU/EEA like Facebook in the US, that obligate the parties to provide adequate protection for data. Those obligations are enforceable by individual EU citizens whose data is transferred. The clauses are approved by the EU, and are available here.
It is worth noting though that at least one EU data protection authority, the ULD of the German state of Schleswig-Holstein, has questioned whether model clauses are valid. In a position paper released on October 14th the ULD advised companies to terminate contracts with US companies receiving data or to suspend data transfers. It remains to be seen whether other regulators will make similar recommendations.
Using binding corporate rules is another option for companies. Those rules would obligate companies to follow data handling practices and procedures that comply with EU law. Information about what such rules should contain is available here.
It will take time for companies to determine how to handle EU data going forward. Do they need to worry about a flood of claims in the meantime? Probably not.
Data protection authorities in the EU have stressed that they are not going to immediately take action against US companies. Recent comments by UK Information Commissioner Christopher Graham capture regulators’ state of mind well. He counseled companies not to panic, and said that the ICO will not be “knee-jerking into sudden enforcement of a new arrangement. We are coordinating our thinking very much with the other data protection authorities across the EU.” The Irish Data Protection Commissioner has made similar comments.
The Long Term Outlook
Discussions between the US and EU to revise the Safe Harbor Privacy Principles have been underway for several years. While it is possible that those discussions will lead to a new agreement that can pass legal muster, absent a change in US surveillance policy and practice it seems likely that any new safe harbor agreement will face rough sledding in the ECJ.
The biggest long term effect of the ruling may be the conclusion that data protection authorities in EU member states must investigate “with all due diligence” complaints that US companies are not adequately protecting their data. This requirement may subject US companies to a great deal more regulatory scrutiny in Europe than they faced in the past.
The uncertainty the ruling creates undoubtedly will motivate companies to store data on EU citizens on servers inside the EU. While that will simplify matters to some extent, it will bring its own set of issues.
Problems currently faced by Microsoft are a good example. In December 2013 the US Department of Justice served the company with a search warrant for information stored on a server in Ireland. Microsoft has resisted the warrant on the grounds that U.S. search warrants don’t apply to locations outside the United States. As Microsoft’s Deputy General Counsel put it, the “U.S. government doesn’t have the power to search a home in another country, nor should it have the power to search the content of email stored overseas.” While Microsoft avoided issues regarding transfer of data by storing it in the EU, it is clear that that they, and other companies that keep EU citizen data in the EU, could have other difficulties they will have to address.
Cyber Insurance Ramifications
Does the elimination of the Safe Harbor have any ramifications for affected companies’ cyber insurance? Possibly.
The ruling does not create any new liabilities. Companies still face the prospect of claims from people like Max Schrems, and they still face possible regulatory investigations. The ruling seems to make those more likely though. Companies therefore need to make certain that they have adequate coverage in place. While most policies would cover Max’s claim and privacy claims by regulators, regulatory coverage may be subject to a very low sublimit. Companies handling EU citizen data should be careful to ensure that they have sufficient coverage for regulatory claims.
Companies should be prepared for more questions from their cyber insurance underwriters about how the company handles data from EU citizens. If a company currently relies on the Safe Harbor the underwriters may ask about how the company plans to handle the data transfers going forward. The quality of the answer may affect the amount of coverage a company can get as well as its price.