Is the Safe Harbor Framework in Trouble?
Last week, the Court of Justice for the European Union’s Advocate General published an opinion that casts doubt on the future of the so-called United States-European Union “safe harbor framework”—a legal arrangement which enables much of the U.S. tech community’s European operations. The advocate general’s opinion is not binding.
Published by The Lawfare Institute
in Cooperation With
Last week, the Court of Justice for the European Union’s Advocate General published an opinion that casts doubt on the future of the so-called United States-European Union “safe harbor framework”—a legal arrangement which enables much of the U.S. tech community’s European operations. The advocate general’s opinion is not binding. But it might nevertheless have a great impact: Should the Court of Justice eventually adopt his opinion, in the closely watched case of Schrems v. Data Protection Commissioner, it could cause a world of trouble for the American tech sector.
In this post, I will explain what the safe harbor framework is; how the Schrems case arose; what the Advocate General’s reasoning was; and what his opinion likely means for the future.
What is the U.S.-EU safe harbor framework?
In short, the safe harbor is a patchwork, woven of European and U.S. law, which establishes a mechanism for covered U.S. companies to assert compliance with EU data privacy regulations.
As the U.S. Department of Commerce explains, significant European legislation—the 1998 European Commission’s Directive on Data Protection—forbids “the transfer of personal data to non-European Union countries that do not meet the European Union (EU) ‘adequacy’ standard for privacy protection.” That’s where the framework comes in. It provides a means for certain U.S. organizations (essentially those subject to the jurisdiction of the Federal Trade Commission, as well as air carriers and ticketing firms) to attest that they indeed have “‘adequate’ privacy protection, as defined by the Directive.” Qualifying U.S. outfits thus may “participate in the U.S.-EU Safe Harbor program” if they “comply with the Framework’s requirements,” “self-certify annually to the Department of Commerce” their intent to comply, and publicize that compliance in their “privacy policy statement.”
Those requirements are fleshed out in a mishmash of (among other things) established privacy principles, U.S. government-posted answers to “frequently asked questions,” correspondence between U.S. and European officials, and European regulatory decisions—all of which and more are collected here.
The principles include requirements to give consumers notice about how information is collected about them, the choice to opt out of their information being given to a third party, requirements to take reasonable steps to protect data from unauthorized access, an individual right of access to one’s own data, and mechanisms for ensuring compliance with these principles. Organizations participating in safe-harbor are primarily responsible for regulating themselves (through mandatory dispute resolution systems and verification and remedy requirements), but state and federal agencies help enforce the framework. The Federal Trade Commission in particular has sued companies for falsely claiming they comply with the framework.
In 2000, the European Commission published Decision 2000/520, stipulating that American companies that comply with the framework would have “adequate” levels of data protection, for purposes of the Directive, and further that all EU member states were to respect the Commission’s “adequacy” determination. That decision was incredibly important: It effectively eliminated the need to get prior approval before transferring personal data from the EU to the United States, and left enforcement of privacy norms regarding that data to be conducted primarily in the United States. Effectively, every European state from which a company transferred data would need to permit such transfers to go forward because, absent a specific Commission “adequacy” determination, “[d]omestic law decides how to assess the level of data protection in a foreign country.” Granted, not all data is covered by the European Directive (bank transfers and hotel bookings, for example, are excluded), but about 4500 companies nevertheless rely on the safe harbor framework to transfer commercial data from Europe to the United States. Most notably, American tech firms like Google and Microsoft avail themselves of the safe harbor, in order to conduct business in Europe.
How did the Schrems case start?
Enter Max Schrems, an Austrian citizen who joined Facebook in 2008.
Mr. Schrems has challenged the safe harbor agreement as a violation of the Charter of Fundamental Rights of the European Union. Specifically, his lawsuit alleges that the Commission’s essentially having allowed U.S. organizations to deem themselves in compliance with the law, through the safe harbor procedures, violates his human rights: to privacy (Art. 7), to the protection of personal data (Art. 8), and to an effective remedy for such violations (Art. 47). Schrems is an EU Facebook subscriber; he thus was obligated to sign contracts with Facebook Ireland. The nature of cloud computing being what it is, some or all of EU Facebook subscribers’ data may get transferred to U.S. servers, thereby implicating the safe harbor agreement (¶24).
With this in mind, Schrems filed a complaint with the Irish Data Protection Commissioner a few weeks after the first Snowden revelations, arguing that NSA’s Section 702 “PRISM” surveillance rendered U.S. data protection inadequate (¶25-26). But the Commissioner refused to investigate his claims because “there was no evidence that the NSA accessed Mr Schrems’ data,” and the safe harbor framework precluded him from finding that the United States offered inadequate protection for Schrems’ rights (¶27).
Schrems thus appealed to the Irish High Court, which in turn referred the case to the Court of Justice of the European Union (CJEU) (¶47). The latter heard arguments in March; a decision is expected in the coming days.
On September 23, Yves Bot, the Advocate General responsible for the case, published his non-binding opinion. (Advocates General “are responsible for collating evidence and representing the EU interest in cases before the ECJ.”)
What did the advocate general conclude?
Bot made two principal findings: (1) the safe harbor framework did not bar EU member states from finding U.S. data protection inadequate, and (2) the safe harbor itself offers inadequate data protection.
The Advocate General flagged as “the central issue” whether Decision 2000/520 “is absolutely binding on the national data protection authority and prevents it from investigating allegations challenging that finding” (¶57). Both the U.S. government website on safe harbor policies and the EU manual on European data protection law assert that the Commission’s judgment is final.
But it turns out they are wrong, according to the Advocate General (¶61):
[I]f the national supervisory authorities receive individual complaints, that does not in my view prevent them, by virtue of their investigative powers and their independence, from forming their own opinion on the general level of protection ensured by a third country and from drawing the appropriate conclusion when they determine individual cases.
Bot then turned to the Commission’s determination that the safe harbor provided for “adequate” data protection (¶121). Though the High Court had not referred this issue to the CJEU, Bot wrote that it nevertheless was appropriate to consider it, because Schrems intended to challenge safe harbor’s validity (¶122) and the High Court had “indirectly” had questioned its legitimacy too (¶123).
The bulk of Bot’s opinion was dedicated to this “adequacy” question. First, the Advocate General argued that the “adequacy” determination is not static; it must “necessarily evolve according to the factual and legal context prevailing in the third country” (¶134). He then spelled out a myriad of problems with U.S. data protections:
- “the fact that citizens of the Union have no appropriate remedy against the processing of their personal data for purposes other than those for which it was initially collected” (¶165);
- the lack of “an independent control mechanism suitable for preventing the breaches of the right to privacy that have been found” (¶166);
- “the large number of users concerned and the quantities of data transferred” and “the secret nature of the United States’ authorities access to the personal data” (¶171);
- “the citizens of the Union who are Facebook users are not informed that their personal data will be generally accessible to the United States security agencies” (¶172);
- the secret and ex parte nature of the FISA Court (¶173); and
- the inadequate protections afforded to foreign citizens (¶211-13).
Some of the Charter’s rights infringements might be justified, he argued, if they were proportionate, “necessary[,] and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others” (¶176). This standard was not met though. First, the rights infringement was severe: the scale of the U.S. government’s collection, coupled with the broad exceptions in Decision 2000/520 “compromise the essence of the fundamental right to protection of personal data” (¶177). Moreover, the exceptions that Decision 2000/520 carves out are too imprecisely defined to be “objectives of general interest recognized by the European Union” (¶183). Nor were these derogations “strictly necessary” (¶191) because the NSA can collect as many communications as it likes “without any differentiation, limitation or exception according to the objective of general interest pursued” (¶198). “Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the Charter” (¶200).
As a result, “the Commission ought to have suspended the application of Decision 2000/520” (¶217).
What does this mean for the future?
Ongoing Negotiations
The Advocate General’s opinion has no immediate legal effect but still might foreshadow big problems for the United States. As mentioned above, the Advocate General’s opinion is not binding. But the Financial Times suggests that Court of Justice’s judges tend to agree with the Advocate General’s conclusions. A ruling doing so might throw a wrench into ongoing negotiations between the U.S. and the European Commission on the safe harbor framework.
According to FT, the Commission earlier had not been concerned because the new “agreement being negotiated will include more safeguards.” If the Court adopts Bot’s conclusions, the Europeans may push for even more privacy protections. That said, the Europeans might lose some leverage too: The principle that any determination concerning U.S. adequacy is only temporary puts the Americans in a tough spot, but it also leaves the Europeans very little to offer. This problem is accentuated by the laundry list of problems the Advocate General had with U.S. data protections. Is the U.S. supposed to cave on every issue? And there is much less reason for the U.S. to listen to the Commission if it knows it has to negotiate with every European country separately.
That last point is particularly interesting and, as mentioned earlier, represents a clear repudiation of both the EU and the U.S.’s prior understandings. Adopting the Advocate General’s position might “frustrate the creation of the digital single market in Europe,” as an IT industry spokesman put it, and possibly harm European consumers and U.S. tech companies in all sorts of ways. It is not obvious that we’ll see such harm, as the U.S. might have more ability to pressure individual governments on this issue compared to an EU-wide body. Adding further complexity are ongoing discussions in the EU to create a new EU-wide privacy authority, one that might be tougher on U.S. companies’ subsidiaries.
All of these points are of course subject to change, depending on the reasoning that the Court’s ruling eventually adopts. Invalidating the safe harbor agreement on narrower grounds while maintaining the Commission’s primacy, for example, would give the EU much more to offer.
U.S. Tech Companies
One thing is for sure, though: a Court declaration that safe harbor protections are inadequate could do real damage to the American tech industry. Schrems’s advocacy group spelled out the consequences in a press release right after the Advocate General’s opinion was published:
[C]ompanies that participate in US mass surveillance and provide for example cloud services within the EU and rely on data centers in the US may now have to invest in secure data centers within the European Union. Currently this could be a mayor [sic] issue for Apple, Facebook, Google, Microsoft or Yahoo. All of them operate data centers in Europe, but may need to fundamentally restructure their data storage architecture and maybe even their corporate structure. . . . This is [sic] may have major commercial downsides for the US tech industry.
It is hard to predict how damaging this would be. Many companies have already started building data centers in Europe. A hard end to safe harbor likely would harm their operations; the hurt would be worse for companies that do not yet have separate data centers in Europe. I could also see this type of fragmenting harming newer tech companies unable to afford the upfront capital costs to build or lease data centers in multiple locations. That type of anticompetitive outcome would be particularly ironic, given Europe’s current antitrust concerns about companies like Google.
NSA Surveillance
One final point about what won’t happen, in any event: As the Center for Democracy and Technology has pointed out, Bot’s decision, even if affirmed, will not automatically trigger a drop in NSA collection. American tech companies operating abroad might not necessarily escape NSA surveillance, either, simply by keeping their data in Europe.
Of course, if the Court endorses Bot’s opinion, then Silicon Valley will have an even stronger financial incentive to push back against U.S. government surveillance. Threats from the German government reportedly led Microsoft to challenge the U.S. government’s warrant under ECPA, and similar concerns motivated Apple to encrypt the iPhone 6. Legal resistance along these lines could quickly transform into full-out lobbying for changes.
***
Perhaps the possibility of disrupting ongoing negotiations and crippling the American tech sector without actually limiting the NSA’s mass surveillance activities might cause the Court to reject the Advocate General’s reasoning, or at least adopt ruling narrow enough to preserve the safe harbor’s essential elements.
If not, the data privacy debate is going to get very complicated very quickly.