Will Spies Sink Transatlantic Commerce?

The Impact of the Schrems Safe Harbor Decision Here is the latest fallout from Edward Snowden's public disclosures about NSA snooping on international communications: On Tuesday, the European Court of Justice invalidated the 15-year-old "Safe Harbor Data Protection Framework" under which more than 4500 US companies and organizations are permitted to process data relating to European consumers and employees. According to the EU's highest judicial institution, it does not matter how carefully the companies keep their privacy commitments, because US government agencies may be reading their electronic mail without adequate legal supervision. This means that US-based companies must quickly pivot to other legal means of bringing European personal data to the US, such as Model Contracts and Binding Corporate Rules. But that is only the beginning.

Blowing up the Safe Harbor

The 1995 EU Data Protection Directive (Article 25) generally forbids transferring personal data from Europe to countries that do not assure an "adequate" level of legal privacy protection. The United States is deemed inadequate (along with India, Russia, China, Brazil, and, well, most of the rest of the world), because the US does not have a comprehensive data protection law on the European model.

An important alternative has been available since 2000: US companies participating in the “Safe Harbor” program negotiated between the European Commission and the US Department of Commerce could receive (or access) personal data from Europe so long as they certified compliance with the Safe Harbor Privacy Principles, a streamlined version of the principles found in the EU Data Protection Directive. Safe Harbor companies submit to third-party dispute-resolution procedures and, ultimately, enforcement in the US (chiefly by the Federal Trade Commission) or in Europe by a panel of European national data protection authorities in the case of employee data. The European Commission, with the assent of the European Council representing the governments of the EU Member States, issued a decision in 2000 that data flows subject to Safe Harbor principles and enforcement mechanisms should be deemed "adequately" protected. The thousands of Safe Harbor companies and organizations listed on the Department of Commerce website include Google, Microsoft, Apple, IBM, Amazon, most of the major US-based outsourcing and cloud services providers, and many global companies with European affiliates, including those that use Safe Harbor chiefly to access their own customer and employee records in Europe, operate central database applications, or simply manage their email servers on a global basis.

All that is placed in jeopardy by Tuesday’s ruling from the European Court of Justice (ECJ), in a case styled Maximillian Schrems v Data Protection Commissioner. The ECJ decided that these data flows are not, in fact, adequately protected, because the US government might be surveilling them covertly without sufficient legal oversight or recourse.

The case arose from a complaint by an Austrian law student named Schrems who was disturbed by Snowden's 2013 revelations concerning NSA surveillance of international cable and satellite traffic. Schrems first petitioned the Irish data protection commissioner to block data flows to Facebook, a Safe Harbor company, from European regional servers located in Ireland. Schrems filed a series of complaints with the Irish Data Protection Commission and ultimately appealed to the High Court of Ireland, which referred the question to the ECJ in Luxembourg, the final arbiter on the interpretation of EU law. (How could a graduate student afford to hire lawyers and pursue such a case? Schrems and fellow law students created a crowd-funding website -- and advertised it via social media, naturally.) Two weeks ago, the ECJ's Advocate General delivered an opinion backing Schrem's petition, which brought an immediate reaction from the US government. Nevertheless, the court, acting with surprising speed, endorsed the AG’s views in Tuesday’s decision.

The court reached two significant conclusions:

1. An EU adequacy decision does not prevent national data protection authorities from re-examining whether the “law and practices” of a third country adequately protect personal data, and the ECJ (not the Commission) has the final say on that question. This opens the door for country-by-country challenges to data transfers under any revised version of Safe Harbor, as well as for data transfers to countries other than the US, including Switzerland and Canada, which have been declared “adequate” by the European Commission without expressly taking into account whether there is adequate legal oversight of government surveillance in those countries.
2. The European Commission’s Safe Harbor decision is invalid. The Court observed that the Directive requires a finding of adequacy in a third country “by reason of its domestic law or international commitments.” The Court concluded that the Commission did not sufficiently explore that question because it focused only on the adequacy of the Safe Harbor principles and mechanisms themselves. The Safe Harbor companies could conform to those but still end up disclosing personal data (knowingly or not) to government agencies in the US, and the Commission did not establish that those agencies were subject to domestic laws that assured, for example, individual rights of access and judicial recourse. The Court said the Directive has to be read in the light of the Charter of Fundamental Rights of the European Union (Articles 7 and 8), which guarantees a right to privacy and “the protection of personal data” and specifically requires that such data must be processed “fairly” and based on “consent or some other legitimate basis laid down by law,” and further that individuals have the rights to access the data and have it corrected.

The Court did not conclude that NSA surveillance is essentially lawless, but it suggested that both the Commission and national data protection authorities must consider that possibility when examining whether personal data in the US are protected adequately to meet European standards. The Court also did not suggest that there can be no surveillance in the interest of national security or public order. Rather, the Court pointed to its decisions interpreting the Charter, establishing that any governmental interference with privacy and data protection rights must “lay down clear and precise rules governing the scope and application of a measure and imposing minimum safeguards, so that the persons whose personal data is concerned have sufficient guarantees enabling their data to be effectively protected against the risk of abuse and against any unlawful access and use of that data.”

Are there such guarantees in US law, governing surveillance by the NSA and other agencies, and do such protections apply to persons who are not citizens or residents of the US? Those are points that the US government would presumably need to address in ongoing talks with the European Commission about a revised Safe Harbor, because the Court will likely reject a Safe Harbor 2.0 without such assurances. Meanwhile …

Alternatives to Safe Harbor

Safe Harbor is not the only way to legitimize data transfers from Europe to the US under current law. Companies that have relied on Safe Harbor should consider one or more of the Article 26 “derogations” (exceptions) allowing data transfers to third countries on these grounds:

• Consent. Transfers are allowed if the individual has given “unambiguous consent.” This may work for consumers and business contacts, but data protection authorities generally hold that consent is not an appropriate ground for transferring employee data, because the employment relationship is inherently coercive. Also, in light of the Court decision, getting informed consent may require giving notice that the transferred data could be disclosed under US law to government authorities or courts.
• Performance of contract. Data transfers are permitted if they are necessary for the performance of a contract between the individual and the company. This covers, for example, most cross-border data transfers involved in using credit or debit cards abroad, making travel reservations, or completing online or mobile purchases. But data protection authorities have taken a narrow view of what transfers are necessary to perform a contract, and several have opined that it is not “necessary,” for example, to send the data to a US-based cloud services provider or an Indian outsourcing company. Similarly, the data protection authorities tend to take a strict view on the question of whether data transfers are necessary for the conclusion or performance of a contract with a third party (such as an intermediate bank or agency) “in the interest of the individual.”
• Public interest. Data transfers are permitted where necessary or legally required “on important public interest grounds,” but there is little definition of this clause – certainly no precedents that would smile on widespread NSA surveillance, for example, as opposed to law enforcement data sharing on specific criminal or terrorist investigations. Pharmaceutical companies argued that this derogation applied to their transfers of clinical trial data and adverse events reports, but in the end they had to get specific codes of conduct or contractual guarantees approved by national authorities. This derogation is generally a very uncertain basis for transatlantic data transfers in the private sector.
• Legal claims. Data transfers are allowed as necessary to “establish, exercise, or defend” legal claims. It is not at all clear that this extends to routine transaction, accounting, audit, and insurance records, even though they might eventually be needed for legal purposes. Rather, the data protection authorities suggest that the derogation applies where there are current or reasonably anticipated litigation, arbitration, or regulatory enforcement proceedings.
• Emergencies. Transfers are allowed if necessary to “protect the vital interests of the data subject.” This derogation works in the case of a traveler’s medical emergency, for example, if the traveler is not in a position to give timely consent, but it has not been applied to routine data flows.
• Public registries. Data may be accessed from a public registry (such as a voter’s registry), but only if consistent with the legal conditions that apply to that database. As a practical matter, those conditions generally rule out accessing the database from abroad to verify the identity of an online consumer, for example, or to create a marketing list.

Two other mechanisms have developed under the authority of Article 26, which also provides that transfers can occur if a company itself establishes “adequate safeguards”: model contracts and binding corporate rules.

• Model Contracts. The European Commission has adopted standard contract clauses to include in data transfer agreements covering transfers between a European data controller and a controller or processor in a third country that lacks an EU adequacy determination. (Under the Directive, “controllers” make the decisions about what personal data to collect and what is done with it, while “processors” merely process or store data on behalf of controllers. A payroll processor or SaaS services provider, for example, is usually deemed a processor, while a headquarters company in the US and its European subsidiary are generally viewed as joint controllers of the European entity’s customer and employee data, because the parent will typically have a say in what data is collected and how it is used.) The model clauses point to a particular set of data protection rules, usually the law of the country from which data are “exported,” and establish the respective obligations of the parties in maintaining confidentiality and security. Unlike Safe Harbor, these model contracts can be used for data transfers to any country, not only the US, so many global companies employ them even if they have relied on Safe Harbor for their US data transfers.

No one knows how many companies already use model contracts, because many European countries do not require users to notify the data protection authority or seek its approval. Irish law, for example, requires registration only for certain categories of data controllers, such as financial institutions and debt collectors. The UK registration scheme is much broader but allows companies simply to check a box indicating that data will be sent outside the EU/EEA, and many companies disclose on the UK’s online registration form only that the data will be transferred to the US or “worldwide,” without indicating the legal basis for the transfers. In Germany, few companies are required to register with the state data protection authorities. Most appoint an internal data protection officer instead, so the authorities are aware of the company’s cross-border data transfer arrangements only if there is a complaint or investigation. By contrast, France, Spain, and The Netherlands generally require prior approval by the data protection authority before transferring data pursuant to model contracts, so the process entails delays and potentially the necessity of answering the regulators’ questions or meeting their objections.

The good news is that virtually all of the companies currently using Safe Harbor could replace it with data transfer agreements incorporating one of the EU-approved sets of model contract clauses. Those agreements should not involve obligations substantially different from those found in the Safe Harbor Privacy Principles (although they will subject the US companies to some remaining peculiarities of European national data protection rules and procedures). The bad news is that a company might need to get multiple agreements in place quickly and then manage the contracts over time as parties and processes change, submitting the agreements for approval in the countries where that is required. This may place US companies at a competitive disadvantage. For example, where a US service provider could simply refer to its Safe Harbor commitment in each of its service agreements with European customers, it will now have to attach a data transfer agreement which, in some countries, the European customer will have to submit to its local data protection authority for approval before actually commencing service.

• Binding corporate rules. “BCRs” are another accepted way of establishing adequate safeguards for cross-border data transfers. With BCRs, a multinational corporation establishes company-wide policies and procedures for handling European personal data, makes them binding on all relevant affiliates, announces the policy to affected individuals (who can then complain to data protection authorities or courts if they think the corporate group is not living up to the policy), and obtains approval from each relevant European data protection authority. The procedure has been rather cumbersome and time-consuming (requiring at least six months and often much longer). So far, it has been used by a few dozen large corporate groups, including ABN AMRO Bank, Accenture, American Express, AXA, BP, Bristol Myers Squibb, Cargill, Citigroup, eBay, First Data, General Electric, Hewlett Packard, Hyatt, Intel, Michelin, Motorola, Phillips, Shell, and Siemens. BCRs may become a more attractive option in the absence of Safe Harbor, but it is not an overnight option as Model Contracts can be in many countries.

In any event, it would seem that the logic of the Court’s decision about Safe Harbor ultimately threatens data transfers under Model Contracts and BCRs as well. NSA surveillance presumably does not distinguish among data flows from Europe based on which legal mechanism is used. The Schrems decision appears to expose Model Contracts and BCRs to scrutiny by national data protection authorities, who may reach different conclusions about whether those commitments produce “adequate safeguards” in view of government surveillance in the US and other countries. Many European companies use Model Contracts or BCRs, for example, to justify sending data to affiliates, outsourcing and technical support vendors, and software developers located in countries such as China, Russia, Bulgaria, Algeria, and Vietnam, where government surveillance is likely to be at least as intrusive as NSA software monitoring international communications for “terrorist”-related key words. Are individual data protection commissioners meant to evaluate the adequacy of legal controls over government surveillance in each country around the world? This seems a better candidate for EU-level investigation and diplomacy. It is certainly not an issue that individual companies can resolve by themselves. A real solution will require the efforts of the US Administration and, perhaps, Congress (in an election season!).

Going Forward

The US and EU might be able to agree on a Safe Harbor 2.0, but this would require a satisfactory regime of legal oversight in the US that covered European data caught in the NSA’s wide net. The proposed EU General Data Protection Regulation, which could be adopted as early as year-end and replace the EU Data Protection Directive after a two-year transition period, currently contemplates the continuing viability of Model Contracts, BCRs, and the other derogations listed above, as well as adequacy determinations such as Safe Harbor. One question is whether the Court’s decision will delay adoption of a final version of the Regulation. It is possible that the Regulation could result in a more uniform approach to decisions about the adequacy of third country privacy safeguards. But the underlying problem of satisfying European institutions shaken by revelations of NSA surveillance must still be addressed. It is a problem complicated by the fact that the UK and several other EU countries conduct their own surveillance programs and have been sharing information with US intelligence agencies since the Second World War.

Authorities in the EU may well decide not to open that can of worms. For the moment, companies handling European personal data must decide whether they increasingly localize European data processing in Europe (abandoning many efficiencies and economies of scale by forsaking global databases and networked access to data across the organization) or establish the grounds for relying on explicit consent, Model Contracts, BCRs, or other exceptions to the Directive’s ban on exposing European data to “inadequate” countries.

Beyond the EU

The ECJ decision may have an impact as well on data flows from countries outside the EU that have adopted laws modeled on the EU Data Protection Directive and currently allow personal data to be transferred from their territory to US Safe Harbor companies.

The first affected are the three non-EU countries of the European Economic Area (EEA), Iceland, Liechtenstein, and Norway. They are bound by treaty to transpose EU legal measures into national law, and they all currently accept data transfers to US Safe Harbor companies (as well as transfers based on EU-approved Model Contracts). Presumably, they will ultimately follow the EU in blocking transfers based on Safe Harbor. Safe Harbor companies exporting data from those countries will probably want to shift to Model Contracts, as in the EU itself.

Switzerland, which is not a member of the EU or EEA, nevertheless enacted a federal data protection law closely modeled on the EU Data Protection Directive, and the European Commission promptly issued a decision determining that the Swiss law offers an adequate level of protection. Switzerland entered into its own arrangements with the US Department of Commerce, the US-Switzerland Safe Harbor Framework, which is nearly identical to the US-EU Safe Harbor Framework. Switzerland is not subject to the ECJ decision, but it may well decide to follow the ECJ’s lead. One reason is that companies otherwise might be tempted to route European data through Swiss servers. If Switzerland then permitted the data to travel freely to the US, the European Commission might reconsider whether Switzerland itself continues to ensure adequate protection. Swiss law also allows transfers based on EU-approved Model Contracts, and companies in the US-Switzerland Safe Harbor program should consider preparing to shift to that solution.

The same logic may apply as well to other countries that benefit from EU adequacy decisions, including Canada, New Zealand, Israel, and Argentina. Current Israeli law allows data to travel from Israel to US Safe Harbor companies; that data passport probably disappears with the suspension of Safe Harbor. The other countries mentioned generally expect contractual safeguards for data transferred to the US, and if the EU takes the next step of challenging transfers based on EU Model Contracts, it may give those countries pause as well -- either because they have similar reservations about US government surveillance or because they do not want to jeopardize their own status with the EU. Moreover, the European Commission’s adequacy decisions for Canada, New Zealand, and Israel may be challenged before European courts or data protection authorities, on the strength of the Schrems decision, because all of those countries reportedly conduct communications surveillance and share some of the resulting intelligence with the US.

What’s a Company To Do?

It’s tough being a pedestrian at the busy intersection of global commerce and national security. For now, companies handling data from Europe should not wait for a legislative or diplomatic solution that may be a long time coming. Instead, they should review the options discussed above and settle quickly on those that best serve their needs, even if those turn out to be interim solutions.