I. What are the alternatives after “Safe Harbor”?
…and will controllers that aid spy systems get away with them?
Option 1: Consent – Art 26(1)(a)
Many argued that large B2C businesses (the “household brands” of the net) will simply add a “disclaimer” to their privacy policies that will take care of international data transfers – a very American legal approach that will very likely fail under EU law.
While there are cases where this can be a proper tool for most the of the “average” data transfers, it seems that transfers to controllers that are involved in US mass surveillance (e.g. when data is stored in the Apple, Google, Yahoo or Microsoft Cloud) will not be legal under this approach.
When it comes to such massive interference with fundamental rights, most national data protection authorities will very likely scrutinize these “consents” very closely.
Consent has to be at least 1. freely given, 2. specific, 3. informed and 4. unambiguous under Directive 95/46/EC. Some national laws add additional requirements. Consumer rights laws in the EU, such as Directive 93/13/EEC limit the ability to “hide” consent clauses in terms.
Let’s take Facebook as an example: As the Irish High Court and the CJEU has held, Facebook aids US spy agencies for mass surveillance. This form of “mass surveillance” is a violation of Art 7 and 8 CFR as we now know. In theory users can arguable waive their fundamental right to privacy and data protection (mind that some scholars oppose this view). For this text, let us assume consent can be a possible option in some jurisdictions. But how would a valid (!) consent e.g. to Facebook’s transfer of data look like?
Users would have to be informed about the specific situation. So just saying that “data is transferred outside of the EEA”, as the Facebook terms currently do, will clearly not be sufficient to make an average users understand that his data may end up at the NSA. At the same time Facebook is still publicly claiming that it has never heard of any of any US spy program. Similar text can be found at Google (“We may process your personal information on a server located outside the country where you live.”) or Microsoft (“Personal data collected by Microsoft may be stored and processed in the United States or any other country where Microsoft or its affiliates, subsidiaries or service providers maintain facilities. We take steps to ensure that the data we collect under this privacy statement is processed according to the provisions of this statement and the requirements of applicable law wherever the data is located.”)
To get a valid consent Facebook in our example would have to be very upfront and explain that all data that is used on facebook.com is subject to mass and indiscriminate surveillance by the US government. Any wording that leaves ambiguity (like the typical phrases that leave the actual fact open “may be subject to” or are unclear on the actual form of surveillance “is subject to US law”) would very likely not survive a proper review by DPAs or Courts.
A legally binding consent under EU law can be done technically, but very likely Facebook would automatically violate the “gag order” that applies to them under US law. So basically they are trapped between US “gag orders” prohibiting proper information and EU law demanding exactly that.
The second big issue with consent for services that have effectively become a utility for many users is the requirement that consent must be “freely given”. If a user has the options to only safe his fundamental right to privacy if he loses all his contacts, pictures, personal messages, postings, emails and so on, he will not make a “free” decision to waive his fundamental rights, but make this decision under severe pressure. So a user does not “freely” ask to get his data shipped to the NSA, but only does so to not be “cut off” from the most common communication tools (not only) of the younger generation.
This is not even taking into account that some member states have even stricter laws and case law on what constitutes legally binding “consent” and the debate that consent can be revoked, in which case Facebook would have to instantly move data back to Europe.
In cases where data transfers previously relied on Safe Harbor and a US controller or processor is obviously not subject to US mass surveillance laws, this may however be a reasonable option.
Option 2: Contractual Solutions (SCCs and BCRs) – Art 26(2)
A large number of businesses will very likely move towards contractual solutions for B2B data transfers. This is the logical consequence and many businesses that had good legal advice have backed up ‘safe harbor’ with these solutions before the CJEU ruling.
However, SSCs and BCRs cannot override the arguments made by the CJEU on mass surveillance under the Charter of Fundamental Rights (CFR). For persons not familiar with EU law, the CFR is the EU’s “bill of rights” that overrides, just like a constitution, any EU law. Directive 95/46 has to be interpreted in the light of the CFR, as the CJEU has held continuously. So the same issues that lead to the invalidation of the ‘safe harbor’ decision, can be brought before any national DPA in the 28 member states, when a data subject claims that these contractual solutions do not properly protect the fundamental rights of the data subject.
The relevant Decisions 2001/497/EC, 2004/915/EC and 2010/87/EU all have a clause that caters for exactly this situation, and allow DPAs to suspend data flows if “it is established that the law to which the data importer is subject imposes upon him requirements to derogate from the relevant data protection rules which go beyond the restrictions necessary in a democratic society as provided for in Article 13 of Directive 95/46/EC where those requirements are likely to have a substantial adverse effect on the guarantees provided by the standard contractual clauses”. This section is taken from Art 4(1)(a) of Decision 2001/497/EC, the other decisions have similar exceptions.
The question if US surveillance laws go beyond the level allowed under Art 13 of Directive 95/46/EC was clearly established by the CJEU. National DPAs may still have certain latitude when deciding whether these laws (in the concrete situation) are “likely to have a substantial adverse effect”. Here DPAs may look at each case individually. This is also supported by Art 25(2) of Directive 95/46/EC, that requires that the “level of protection” shall be “assessed in the light of all the circumstances surrounding a data transfer operation”.
However for US companies that are very likely to actively aid US spy programs (e.g. Yahoo, Google, Apple, Microsoft or Facebook that are engaged in the PRISM program) there will be no reasonable DPA or court that would come to the conclusion that there is no “likeliness of a substantial adverse effect” in the light of the CJEU judgment.
If a case involves data transfers to US controllers or processors that are not typically a target for US mass surveillance, a EU controller may be able to argue that the CJEU judgement does not apply to the individual data transfer, if there is no factual likeliness that US spy programs are accessing certain data.
If data is however outsourced to businesses that factually aid US mass surveillance, or in cases where there are reasons to belief that this could be the case, DPAs will have to suspend data flows under the CJEU ruling, as the fundamental rights of the data subject would not be effectively protected under any contractual arrangement. US law would override these arrangements just like it overrides a ‘safe harbor’ certification, which is why the relevant clauses in Decisions 2001/497/EC, 2004/915/EC and 2010/87/EU will kick in – especially if interpreted in the light of Art 7 and 8 CFR and the CJEU judgment.
This situation is also foreseen in the standard contractual clauses of the European Commission. On a contractual level a EU business can simply quit the contract. See e.g. Clause 5(b) of the Annex to Decision 2010/87/EU (the data importer “has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract”). Equivalent clauses can also be found in Decision 2001/497/EC and 2004/915/EC. This clause is very wide and basically allows termination of any data transfer deal to the US when any US surveillance law applies to a processor or controller. From a commercial perspective this may be an option to terminate contracts after the CJEU ruling without any additional costs.
So while BCRs and SCCs are very likely the only (somewhat legally stable) alternative after ‘safe harbor’ is history, they will hardly stand a challenge before national DPAs if the US recipient of personal data is subject to mass surveillance (e.g. when data is stored in the Apple, Google, Yahoo or Microsoft Cloud).
Even in other cases it would be wise to analyze e.g. 50 USC § 1881a or EO 12333 and ensure that a US controller or processor is not subject to these laws (let alone factually participating in mass surveillance programs like PRISM) as some DPAs may be inclined to look at the protection under the law in the abstract – not the factual situation. Such an abstract approach seems reasonable given that Art 25 and 26 of Directive 95/46/EC are based on the need to assume the general level of protection in a third country, as a European DPA cannot undertake factual investigations in such a third country and e.g. ensure that there is factually no “back door” in systems. In other words: The law protects data not to be sent to a country that does not provide adequate protection, as it is not to be expected that another Edward Snowden will come around the corner every week and e.g. give regular updates on the controllers and processors that the NSA is currently using for mass surveillance. This would basically mean that e.g. 50 USC § 1881a, applying to all US “electronic communication service providers” (see definition at 50 USC § 1881), would allow (or more likely force) DPAs to suspend data flows to these US providers because of the abstract application of a law to them, that does not comply with Art 7, 8 and 47 CFR.
Bottom line here: While (1) controllers and processors in the US that are not subject to relevant surveillance laws can safely rely on SCCs and BCRs, this gets (2) more tricky when they are (at least from a legal perspective) subject to these laws and (3) basically impossible if there is good evidence or a very high likeliness that they are also factually aiding in these systems (e.g. in the case of the “PRISM” companies).
Option 3: Other Derogations in Art 26
There are number of other derogations in Art 26 of Directive 95/46/EC that will apply typically to individual data transfers in individual cases and remedy the most common data transfers in daily business. This short text is not intended to dive into these situations as well, but I quickly want to mention that the CJEU ruling under the CFR will apply to these transfers just as well.
However in many cases “mass surveillance” will not be a factual consequence of such transfers. When e.g. a normal order is sent to the US for the “performance of a contract” or data is sent for the “vital interests of the data subject”, as these individual bits of information will hardly end up in a mass surveillance system that is aided by the recipient. Surveillance on the networks are another story of course – but a matter of data security, not international transfers. Most of the daily business transactions will therefore be able to use one of the derogations in Art 26 of Directive 95/46/EC, just like they are used when transferring data to most other countries in the world.
II. Will we soon see a „Safe Harbor 2.0“? …what are the requirements for a new deal?
The CJEU judgment in case C-362/14 sent shock waves through the privacy community. Many hope for a swift adoption of a “new” Safe Harbor decision. However, if the judgment is analyzed in this respect, it seems the European Commission and the US government would have to start from scratch in many respects. In this short comment I would like to just name a few requirements that can be derived from the CJEU judgment, while there are clearly many other issues to be addressed.
Issue 1: New definition of “adequacy”
At the core of the current Directive 95/46 is the word “adequate”. In the original draft of Directive 95/46 used wording intended to require basically the same level of protection, but was changed in towards “adequate”. Years later the Charter of Fundamental Rights (CFR) came into force which has a strong influence when interpreting Directive 95/46. Especially ambiguous wording is routinely interpreted by the CJEU not only under Art 7 and 8 CFR, but also in light of the aim of the Directive to provide a high level of protection.
The CJEU has now clarified that a third country has to provide “essentially equivalent” (see p. 73 and 74 of the judgment) protection as under Directive 95/46 and the CFR.
So far many argued that “adequate” (maybe the most ambiguous word that could have been used) should mean something that amounts to some “basic protection” that are somewhat “inspired” by EU law – to put it simple. This is not the relevant definition of “adequate” anymore.
This definition will be a major problem for commercial data usage, as the ‘safe harbor principles’ (SHPs) and the ‘safe harbor’ FAQs provided a weak shadow of the principles in Directive 95/46. We have submitted a short review of the differences between the SHPs and Directive 95/46 by Prof. Boehm to the CJEU to illustrate just some of the shortcomings.
The CJEU has (as expected) not addressed cases of private data processing, as the ‘safe harbor’ was already found to be invalid under the ‘core issues’ of the case. The SHPs where therefore not discussed. For any ‘safe harbor 2.0’ the “essentially equivalent” standard will however still be the relevant case law. A ‘safe harbor 2.0’ will therefore need to come with new SHPs that would have to be more or less a 1:1 copy of the principles in Directive 95/46. Otherwise any challenge to a new ‘safe harbor’ will very likely be successful, which means that controllers will find no legal certainty in a quick fix based on the old SHPs and FAQs.
Some may think about a possible change of the requirements to transfer data to third countries in the proposed EU data protection regulation, but as the CJEU’s interpretation is based on Art 8 CFR, I doubt that this would be an option. Instead a regulation that sets a much lower bar may itself violate Art 8 CFR. The regulation will also only come into force in 2018, so this will hardly be a reasonable option for an instant fix.
Bottom line: The COM and the US would need to agree on new ‘safe harbor principles’ that must be basically a copy of Directive 95/46. The old SHPs will not be sufficient to withstand a challenge at the CJEU.
Issue 2: Effective Detection and Supervision Mechanisms
Next the CJEU requires that “adequate protection” includes “effective detection and supervision mechanisms” (p. 81 of the judgment). This goes clearly beyond what the ‘safe harbor’ has so far provided.
While there is private arbitration under ‘safe harbor’, the private arbitrators have no power to factually investigate complaints, so private arbitration bodies will not be able to fulfill the requirements under the current system to basically replace a DPA. There may be options to strengthen these bodies, but this will not be easy as they simply lack the powers of a public authority.
At the same time the FTC has not really done solid enforcement of the ‘safe harbor’, despite many claims to the contrary. The often named cases brought only under ‘safe harbor’ by the FTC were formal violations of the ‘safe harbor’ (lapsed certifications or false claims of certification).
All three (!) cases of material violation of consumers’ privacy enforced by the FTC since 2000 were in reality based a violation of US law. The material violation of ‘safe harbor’ was basically a side note in all three cases. There was no case where a company was found to violate the ‘safe harbor’ only. So in the end there is effectively no case where ‘safe harbor’ certified companies were held to a higher standard in material privacy protection. If a US company was certified, they mainly statically only ran the risk to have the FTC knocking on their doors if their (most basic) paperwork was not in order.
While it is a reasonable PR strategy by the US government to name the overall number of enforcement actions, the factual enforcement by the FTC did not lead to a really higher standard among ‘safe harbor’ companies – and everyone in the privacy community knew. Some also acknowledge this when they say that a switch to BCRs or SCCs will mean a real difference for US businesses. It is still very frustrating to see how the myth of serious enforcement of the ‘safe harbor’ is repeated over and over, also on the European side.
This is not to say that the FTC has a long list of enforcing other privacy violations, but statistics are clear that ‘safe harbor’ is not the tool that leads to serious enforcement in practice.
Finally the CJEU requires that violations are “identified and punished in practice”, which seems to at least conflict with the FTC’s approach of mainly working with settlements.
To be fair: This standard for enforcement is high and some EU member states (e.g. Ireland) would not fulfill this requirement. But from a legal perspective the lacks of enforcement within the EU is an issue for an infringement procedure by the COM or legal challenges in Europe, not US adequacy. Just because some of the 28 member states do wrong does not mean that a third country can refer to these weakest links in Europe. This argument is therefore valuable form a political standpoint, but will very likely not hold the CJEU back from requiring solid enforcement in the US.
Issue 3: Self-Certification as Mechanism
We have argued that the SHPs do not constitute “domestic law or international commitments” (see Article 25(6) of Directive 95/46). The CJEU has (without any further debate) not followed this formalistic argument. Instead the CJEU confirmed that “adequate protection” can in theory be provided by a self-certification mechanism – not only by laws or international commitments (see p. 81 of the judgment).
But the arguments further employed by the CJEU show that the practical implementation of a “self-certification” mechanism quickly get messy.
The CJEU mainly criticizes the fact that the SHPs do not apply, whenever there is conflicting US law, case law or executive decisions. But the SHPs, as private form of self-limitation, can by their very nature only apply in areas where no conflicting legal duty exists. A private self-certification system always means that any federal or state law, any executive decision and any US judgment overrides the SHPs. This structural flaw is brought up by the CJEU multiple times, for example:
– US public authorities not covered
The CJEU e.g. criticizes that US authorities are not covered by the ‘safe harbor’ (p. 82 of the judgment). This is the natural result of a private self-certification mechanism, which is by its very nature only open to private controllers. But this still creates a legal vacuum when data is forwarded to US state actors in general. Here the CJEU is not even addressing ‘mass surveillance’ but just normal transfers. There may be a number of laws and practices in the US that governing data handling by authorities, but they have to be assessed and considered for a new ‘safe harbor’. It would take a lot of research to identify the laws and regulations in all federal, state and local authorities to ensure they all comply with EU standards.
– Blanket Exception for US law
The CJEU notes a number of times that the limitations of the SHPs are basically a blanket exception (see e.g. p 85 and 88 of the judgment). Under EU law, such a blanket exception must fail any proportionality test under Art 52(1) CFR.
Simply put, from a EU legal perspective there is a big “black hole” in the protection under the ‘safe harbor’ system, with no proper limitation. Basically any law that exists in the US, which does not fulfill the proportionality test of the CFR will creep out of this hole in the SHPs and lead to a processing operation that invalidates the Commission decision.
So while the CJEU does not generally say that self-certification does not fulfill the formal requirements of Article 25(6), an approach where any national law automatically overrides a self-certification would effectively need a review of all relevant laws and practices of a country.
So a “mixed system” where self-certification and domestic laws go hand in hand is possible according to the CJEU, even if the adequate protection is not enshrined in a “domestic law”, but at the same time all potentially conflicting national laws need to be considered and found to be “essentially equivalent” to EU law.
If this thought is continued, a self-certification approach would only be a reasonable system in third countries where all potentially conflicting laws provide “essentially equivalent” protection as Directive 95/46, but there is simply no data protection law for the private sector.
Given current US surveillance laws and orders, the lack of any constitutional guarantee for non-US persons and the almost endless options of legal duties under federal, state and local laws and orders (for instance FISA, EO 12333) that could override the SHPs, it is hard to imagine that the COM could make “sufficient findings” (p. 83) to make a new ‘safe harbor’ decision that is based on self-certification mechanism unless there are severe changes in US law.
Issue 4: DPAs get new powers
Finally the CJEU found that the COM has denied the national DPAs in 28 member states their authorities under Art 28 of Directive 95/46. A new ‘safe harbor’ would therefore need some kind of general allowance for national DPAs to take action, despite a finding of adequacy.
All existing adequacy decisions already have a “back door” built in (see e.g. Art 3 of the ‘Safe Harbor’ Decision) but following the CJEU ruling they will need to be much more open to the concerns of individual DPAs. This basically means that even if the European Commission and the US can agree on a new ‘safe harbor’ system, national DPAs may still restrict data transfers in cases where they feel that the privacy rights of data subjects are violated.
Any new adequacy decision will therefore be much more of a “general rule” than a “blanket allowance”. In cases of mass surveillance national DPAs will be able to prohibit data transfers, just like under alternative transfer methods under Art 26 of Directive 95/46.
Issue 5: Mass surveillance
Finally the CJEU addresses the core issue of the complaint: mass surveillance.
After the data retention ruling, the result on mass surveillance did not come as a surprise to persons familiar with EU law. The CJEU consequently notes that there is no finding by the European Commission that the US government’s interference with the right to privacy is limited to what is strictly necessary and proportionate for the protection of the national security of the US.
Interestingly the CJEU has even found that the “access on a generalized basis” to the “content of electronic communication” is a violation of the “essence” of Art 7 CFR – which is a biggie for EU lawyers (see p. 94), because if a measure violates the essence of fundamental rights, there is no chance to justify this measure in a proportionality test. In simple terms “drag net surveillance” of content data is “off the scale” of any proportionality test. This is also very important case law for surveillance systems of EU member states.
I am aware that this factual claim is very much disputed by the US, but the facts were undisputed within the EU. The recent counter arguments from the US government are also mainly based on a wrong understanding of EU data protection law. It is important to understand that the mere “making available” of data (so e.g. providing an API that allows direct access) constitutes an interference with Art 8 CFR. At the same time this is not even remotely touching on a person’s rights under US law. In summary, measures that are not even relevant under US law can easily be “mass surveillance” under EU fundamental rights. EU law has a much broader scope of protection that goes far beyond the actual misuse of data, but is also focused on the possibility of misuse and loss of control. This was also highlighted in the data retention ruling, where the mere storage of “meta data” at telecom providers for potential use in individual cases was seen as a violation of the CFR – a system that the US proposes as a “privacy friendly” alternative to government collection.
The fact that these programs are secret makes fact-finding very complicated. When the US mission to the EU has criticized that the advocate general should have investigated the facts further, it seemed rather absurd, given the secret nature of all details. From a legal perspective the CJEU is also not engaged in fact-finding, but relies on the facts established by the referring court (in this case the Irish High Court).
In relation to the US government’s interference with the right to privacy (e.g. in national security cases), the CJEU also notes that there is no effective legal protection for non-US persons (p 89). The question of judicial oversight and individual redress is actually also debated within the US. It will be very hard to see how this requirement by the CJEU can be implemented in US law, as not even US persons have reasonable options to take action against US mass surveillance programs – let alone non-US persons that cannot rely on the Bill of Rights.
At this point I would also like to quickly address the “hypocrisy” argument from the US side, basically arguing that some (!) EU member states are running similar systems. This is very true, but ignores the fact that the CJEU has no jurisdiction in this respect, as “national security” is a national matter under EU law. The CJEU has struck down the data retention directive (a system that is seen as rather privacy friendly in the US), where it had jurisdiction. It will be upon the national constitutional courts of EU member states and the ECtHR in Strasbourg to use the case law in C-362/14 and apply it to national surveillance as well. In contrast to the US constitutional system, fundamental rights, including forms of redress are also open to everyone – not just to EU citizens. So while the laws of many EU member states are far from perfect, there is at least the possibility that courts could strike down this situation.
This ruling will be very useful for the fight against mass surveillance in Europe. While Art 7 CFR does only apply to EU laws and acts, the exact equivalent in Art 8 ECHR will also apply to mass surveillance under domestic EU law. We will surely see cases that will end up at the relevant ECtHR in Strasbourg, where the decision by the CJEU that is limited to EU law will hopefully be very helpful case law in cases of national surveillance laws. To be clear: There is no doubt that a lot of work on this side of the Atlantic has to be done as well. Given the application of the ECHR there is also a reasonable chance that these issues could be solved sooner or later.
Summary: Will we see a ‘Safe Harbor 2.0’ soon?
At first I expected the European Commission to patch the current ‘safe harbor’ within weeks or months. This is also the approach the European Commission is currently working on.
After a second review of the judgment of the CJEU it will be very hard to come up with a solution that addresses all problems identified by the Court, given the US position. It also seems questionable if a ‘safe harbor 2.0’ will have real benefits for US controllers in practice compared to transfer methods under Art 26 of Directive 95/46.
While all issues brought up by the CJEU could be solved in theory, the US government will very likely not be able and/or willing to limit surveillance laws to an extent that they comply with all requirements of the CFR in respect to the right to privacy. To come up with effective judicial protection for non-US persons seems politically impossible, as this was not even possible for US citizens. Even the attempt to enact a Judicial Redress Act and the proposed “Umbrella Agreement” show that that the two sides can only reach agreement for very limited safeguards, that are far from what the CJEU now requires.
In addition a ‘safe harbor 2.0’ would have to include much stricter limitations for businesses. The times where US companies could get away with SHPs (that could be easily circumvented) are over. Any new SHPs must stand the “essentially equivalent” test, if they should survive another challenge at the CJEU. Once this is realized, the interest of businesses in a new ‘safe harbor’ may be rather limited, especially after everyone will have to move to SCCs and BCRs to bridge the gap period anyway.
Washington will very likely end up to choose between a major reform of US surveillance laws and a redraft of the ‘safe harbor’ program (that will basically need to be a copy/paste from Directive 95/46 in order to have a system that withstands a new CJEU challenge) or a simply live with a more burdensome data transfer under Article 26 of Directive 95/46. It would not be unreasonable to pick the second option.
Controllers that can reasonable claim that they are not factually aiding mass surveillance should be able to get away if the national DPAs are reviewing data transfers under Art 26. But US controllers which factually comply with the relevant surveillance laws in the US (right now according to the Snowden documents e.g. Apple, Google, Facebook, Yahoo, AOL or Microsoft) the CJEU ruling may require serious reorganization. As the core findings of the CJEU ruling are based on the CFR, they will equally apply to all transfer methods under Art 26 and any new ‘safe harbor’.
Depending on the situation measures for the relevant US businesses could reach from contractual changes to let data flow differently (e.g. directly from data subjects to the US), separation of US and EU products, sacrificing tax avoidance schemes that involve EU headquarters to avoid EU jurisdiction, all the way to data localization.
Despite contrary initial claims, it seems like major players that are factually involved in programs like PRISM will have to take very complicated and costly measures. At the same time businesses whose core business is not in data processing, may just need to switch to another legal basis for data transfers.
It will be very interesting to watch the dynamics in the coming months. After thinking through the options under the CJEU ruling, it seems that the intended “quick fix” will hardly lead to a new ‘safe harbor’ that provides the necessary legal certainty for controllers. Minding that the two parties have debated for two years to not even get the (very weak) “13 recommendations” program by the European Commission done, it seems a switch to “alternative” transfer methods under Art 26 will be more reasonable than hoping for a ‘safe harbor 2.0’.