Alan Charles Raul is a partner in the Privacy, Data Security and Information Law practice of Sidley Austin LLP. You can follow his group at datamatters.sidley.com.
In a decision Tuesday that was as shocking as it was predictable, the Court of Justice of the European Union (CJEU) invalidated the U.S.-EU Safe Harbor for westward bound international transfers of personal data. The companies whose information flows to the United States will be impeded by the EU decision need to look to the U.S. government and not just the EU for letting this mess happen.
The case stems from a complaint Max Schrems filed with the Irish Data Protection Authority about the privacy risks of using Facebook. He was concerned that electronic communications transferred to the United States would end up in the hands of the NSA’s PRISM program. PRISM involves the NSA’s use of a provision in the Foreign Intelligence Surveillance Act, section 702, that allows it to target non-U.S. persons located outside the United States for foreign intelligence purposes. This section only applies to collections from electronic communication service providers located in the United States.
The CJEU, followed a recommendation of its Advocate General that assumed without any facts or analysis that NSA surveillance under section 702 is massive and "indiscriminate." Without the opportunity to receive any evidence or argument from the U.S. government, any U.S. company, or any amicus filing a brief on behalf of the United States, the CJEU decided that the EU’s executive branch, the Commission, had improperly determined that the U.S. Safe Harbor assured EU citizens an "adequate" level of privacy and data protection. This finding was necessary because the EU prohibits sending personal data to a non-EU country that does not provide "adequate" protection, which the CJEU understood as requiring the third country in fact to ensure, “by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order.”
Accordingly, a company needing to send its HR data or customer records to the United States requires an EU-approved mechanism to legitimate transfers of the personal data across the Atlantic. Until yesterday, companies could certify to comply with the fundamental privacy principles worked out in the Safe Harbor framework in 2000 between the US Department of Commerce and the EU Commission. Participating companies must also agree to submit to the enforcement jurisdiction of the Federal Trade Commission in the event of non-compliance with those principles, making their commitments legally binding.
Other than Safe Harbor, U.S. companies can transfer data pursuant to certain EU-approved data transfer contracts, which can be implemented even between offices of the same multinational in different countries, or by adopting so-called Binding Corporate Rules where a company agrees to self-impose EU privacy standards for transfers of EU data throughout the company’s global operations. International data transfers are also allowed if EU citizens are informed and freely consent to the transfer of their data.
The rationale for the CJEU’s invalidating the Safe Harbor is not really clear. The CJEU was apparently not required to, and did not, conduct any analysis of U.S. law, let alone review the statute authorizing NSA collection of foreign intelligence material under section 702. Accordingly, the CJEU merely assumed, and did not actually rule (or even consider) whether the PRISM program of concern to Mr. Schrems was indeed indiscriminate or unjustified.
If the CJEU had examined that statute, it would have found checks and balances, including judicial oversight, more rigorous than controls on government surveillance in most if not nearly all other countries, including EU member states. Even beyond the requirement for judicial approval, the Attorney General and Director of National Intelligence must both certify that the NSA surveillance involves obtaining foreign intelligence information, is subject to rigorous minimization procedures to avoid excess collection, and is a collection that requires the assistance of an electronic communication service provider.
After such detailed authorization, the Department of Justice Inspector General and the relevant intelligence community Inspector General must investigate and report on the surveillance practices, and the relevant intelligence agency must provide an annual report to the House and Senate Intelligence Committees, and also to the House and Senate Judiciary Committees. The Privacy and Civil Liberties Oversight Board (PCLOB), now a fully independent, free-standing institution of the federal government, is another oversight body authorized to investigate and assess these national security surveillance practices. In fact, the PCLOB concluded that the Prism program “consists entirely of targeting specific persons about whom an individualized determination has been made”—hardly indiscriminate surveillance.
Significantly, the PCLOB has specifically asserted its role and authority to assess the impact of such surveillance on non-U.S. Persons. In its 2014 report to Congress, the PCLOB addressed the issue head on, noting that many of the “applicable protections that already exist under U.S. surveillance laws apply to U.S. and non-U.S. persons alike” and that it will contribute to President Obama’s effort to add additional privacy protections to non-U.S. persons.
So how could the CJEU be unaware of the extensive certifications, checks, balances, judicial approval and independent oversight applicable to the national security surveillance in question? The answer is because the U.S. government simply does not defend or even explain how the privacy system works—neither with respect to national security privacy issues, nor with respect to commercial privacy regulation. The President has designated no one to be in overall charge of coordinating these issues government-wide and to serve as a senior public spokesperson with responsibility to communicate effectively on privacy to foreign and domestic constituencies. Accordingly, it is no wonder that the CJEU made no real effort (indeed no effort at all) to understand the significant protections built into the U.S. system, even for foreigners.
Another recent example of the negative consequences of having no White House privacy coordinator is that the Department of Justice was left free to serve a search warrant in 2014 on Microsoft to compel disclosure in the US of one of its customer’s communications that were stored in Ireland. With no senior policy person to tell DOJ how much damage this would cause to the United States’ international privacy reputation, the fallout has been highly damaging to global respect for the U.S. privacy and data protection regime. The data the DOJ seeks could have been readily obtained from Ireland using the Mutual Legal Assistance Treaty process.
In sum, the sky may not fall with the (perhaps temporary) collapse of the Safe Harbor. EU officials have indicated they are determined to protect transatlantic data flows, and are likely to find away to enhance the Safe Harbor in the future and acquiesce in short-term workarounds. In the meantime, companies can also sign data transfer contracts between their subsidiaries, or look to individual consent and other mechanisms for legitimating the transfer of personal data to the US. And while the CJEU’s decision in the Schrems case was neither logical nor informed, the US government needs to do a lot better job to explain (and defend) U.S. privacy and data protection laws so this sort of mess doesn’t happen again.