An in-depth look at the legal scenarios arising from the EU landmark ruling that declared invalid the EU-US Safe Harbor agreement on the transfer of personal data.
On October 6, 2015, the European Court of Justice (“ECJ”) ruled in the “Schrems” case that the U.S.-EU Safe Harbor framework on the transfer of personal data from Europe to the United States, was invalid.
For the past 15 years, this Safe Harbor framework gave privileged status to U.S. companies, allowing for such entities to “self-certify” that they complied with privacy standards negotiated between the European Commission and the United States Department of Commerce under the Clinton Administration in 1999, and were viewed as “adequate” by the EU.
Effective immediately, today’s ruling may force all of the 4,400 U.S. entities that currently rely on the Safe Harbor to access the data of their EU partners and subsidiaries, to seek alternate modes of data transfer or risk non-compliance with EU data protection requirements.
Austrian privacy campaigner Maximilian Schrems originally formed his complaint before the Irish Data Protection Authority (“DPA”) against Facebook’s use of his data, and the transfer of data occurring between Facebook’s Ireland entity and its U.S. parent company.
According to the complainant, and based on Edward Snowden’s revelations on mass surveillance, Facebook and other U.S. multinationals were, directly or indirectly, allowing U.S. national security agencies unrestricted access to EU citizens’ data.
Such unrestricted access could be construed as being in violation of the fundamental rights granted under the EU Data Protection Directive 95/46 (the “Data Directive”), currently under revision in the EU.
After the Irish DPA declined to investigate such concerns on the basis that the Safe Harbor implemented between the U.S. and Irish entities was exclusively overseen by the European Commission, the complaint was elevated before Europe’s highest Court.
The ECJ disagreed with the Irish DPA’s interpretation, by stating that the existing provision “does not prevent a supervisory authority of a Member State … from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection”.
In essence, this means that each EU member state DPA has the authority to hear complaints about the level of protection for personal data that other countries offer, and potentially to second guess any determinations that the European Commission has made that those countries offer adequate protection.
In addition, the Court noted that “legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law”.
Following the September 23 opinion of Yves Bot, the ECJ’s Advocate General for the case, which notably stated that “once personal data is transferred to the United States, the National Security Agency and other United States security agencies such as the Federal Bureau of Investigation are able to access it in the course of a mass and indiscriminate surveillance and interception of such data”, the Court invalidated the EU Commission decision 2000/520/EC of 26 July 2000 on the adequacy of the Safe Harbor framework to EU privacy standards.
THE REACTIONS OF THE EU INSTITUTIONS
The EC promptly reacted to the decision of the ECJ. In a press conference on the same day of the ruling, the First Vice-President of the EC, Frans Timmermans, and the Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, explained how the EC is planning to tackle the issues raised by the Court.
In particular, they clarified that the Commission has now three priorities, in light of the ECJ’s ruling: (i) guaranteeing that the data of EU citizens are protected when transferred across the Atlantic, (ii) ensuring that data flow continues, and (iii) ensuring the uniform response on alternative ways to transfer data across the EU.
According to Commissioner Jourová, the data flow can continue under EU data protection rules which provide for other safeguard mechanisms for international transfers of personal data (e.g. standard data protection clauses in contracts between companies exchanging data across the Atlantic or corporate rules for transfers within a corporate group) and the derogations under which data can be transferred (i.e. performance of a contract, important public interest grounds, vital interest of the data subject, or consent of the individual).
The EC is planning to provide clear guidance to national data protection authorities on how to deal with data transfer requests to the US, in light of the ruling, and will put relevant information and contact points on its website.
The guidance should guarantee a uniform enforcement of the ruling and more legal certainty for citizens and businesses.
The Chair of the European Parliament Civil Liberties Committee, Claude Moraes, has called for the immediate suspension of the Safe Harbor agreement, following the decision of the ECJ, and for its replacement by the Commission with a new framework for transfers of personal data to the US in compliance with EU law. The European Parliament had already advanced those requests more than once in the past.
THE REACTION OF THE UNITED STATES DEPARTMENT OF COMMERCE
The Secretary of the U.S. Department of Commerce, Penny Pritzker, promptly released a press release in response to the decision that expressed deep disappointment with the decision. The statement indicates that the decision “creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy.” It further calls for the release of an updated Safe Harbor Framework “as soon as possible.”
Secretary Pritzker’s statement also indicates that the U.S. is prepared to work with the European Commission to address the uncertainty that this decision causes for U.S. and EU businesses so that businesses that “have complied in good faith with the Safe Harbor and provided robust protection of EU citizens’ privacy in accordance with the Framework’s principles can continue to grow the world’s digital economy.”
IMMEDIATE IMPACTS AND LONG-TERM CONSEQUENCES
The ECJ decision will now be sent to the High Court in Dublin, in order for the national judge to use this new interpretative framework as a basis for deciding Schrems’ legal challenge for Facebook to be audited.
While the ECJ decision is of immediate application, the practical effect in a B2C setting will actually depend on the actions of the DPAs in each European Union member state, and others.
Meanwhile, public outrage may lead to a wave of complaints and possible requests for interim action, such as injunctions before national courts. Such initiatives may notably be undertaken by the likes of complainant and privacy activist Mr. Schrems, and others who follow his lead.
Strictly speaking, only a decision from the European Commission has been invalidated — the Safe Harbor remains a voluntary mechanism adopted by the United States under the supervision of the U.S. Federal Trade Commission (“FTC”) or Department of Transportation (“DoT”).
Accordingly, companies that have certified as compliant with the Safe Harbor are still subject to FTC or DoT jurisdiction, but compliance with the Safe Harbor Framework will no longer be assumed by European authorities to offer an adequate level of protection.
The consequence of this ECJ decision lies in the fact that each national DPA now has the power to control the conformity of a data transfer not only to the Data Directive, but also to the Safe Harbor framework.
Therefore, the compliance of the U.S. data importer with the Safe Harbor Framework may now be scrutinized by both the FTC and DoT (as before), and each local DPA.
From a B2B point of view, this decision will, without doubt, disrupt the ongoing negotiations with European business customers, who might threaten to interrupt the delivery of goods or services and seek redress for noncompliance until their providers establish alternative grounds to transfer data to the United States in accordance with the requirements of the Data Directive.
While the Safe Harbor certification of each U.S. entity may now be scrutinized by each local EU DPA, from an EU law perspective, alternate modes of data transfers, such as Data Transfer Agreements based on the EU Commission Model Clauses (a fixed contractual template regulating the transfer of data from one EU data exporter (or more) to a non-EU data importer (or more) or Binding Corporate Rules (“BCR”, an ad-hoc set of rules governing the processing of personal data within the various entities of a given group of companies), may still be relied upon.
The BCR approach involves potential risks to both U.S. companies and European corporate affiliates, including the following:
– If the Safe Harbor certification of a U.S. company is deemed invalid by a DPA, this European DPA may initiate sanctions against any EU exporter making data available to this U.S. data importer. If this U.S. data importer has no physical or commercial presence in EU territory, no sanction may be enforced against it by an EU DPA.
– If, for the security of their data transfers from Europe, the U.S. importers execute Data Transfer Agreements with their EU counterparts, the joint-liability regime of the European Model Clauses will make the EU data exporter bear the whole of the actual liability.
On the one hand, Model Clauses are easily executable, but do not provide much flexibility. In addition, their adoption involves legal risk due to their pass-through liability and audit requirements, and is not always feasible due to the need to execute clauses with any sub-processors that will have access to the personal data transferred.
On the other hand, BCR are time consuming and potentially expensive to implement, but may offer a tailor-made solution for a given group of entities.
U.S. companies should carefully explore the risks and benefits that data transfers using the Model Clause and BCR approaches offer, and may also wish to re-examine business practices to avoid exposure to the legal risks that transfers of personal data outside of the EU involves.
A re-examination and change in data transfer practices could help mitigate the risks that the Model Clause and BCR approaches have under EU law, as well as potential risks that agreeing to European-style data protection expectations might have if tested in litigation in U.S. courts.
The draft Data Protection Regulation currently being discussed in the EU appears to maintain both the Model Clause and BCR mechanisms, which also offer the advantage of regulating data transfers worldwide and not solely to the United States.
We may reasonably doubt that the ECJ’s intention was to sanction EU companies that transfer data outside of the EU under the Safe Harbor framework. Notwithstanding, this may be the final outcome of its decision.
There is little doubt that this decision will have a political impact, should the Obama administration elect to carry this issue forward within the Trans-Atlantic talks notably surrounding the adoption of the TTIP, once the draft Data Protection Regulation is adopted in the EU before the end of 2015.
photo credit: Simon Ingram
The whole debate about “suppressing borders” to online film viewing will only have any possibility of success if it is combined with a structural support to an evolution of the current chain of value and the whole European film industry source of income.
February is an essential month in the movie industry calendar. For a few days, the Martin-Gropius-Bau, an elegant XIXth century building which survived Berlin’s historical dramas, becomes the most important film marketplace in the world.
At the European Film Market, which runs parallel to the Berlinale, hundreds of films from all over the world are sold to film distributors, also from all over the world. In the market corridors, or in the large bars of international hotels, tens of agreements will turn film projects into a viable reality.
Indeed, Europe is here the main player both on the selling and the buying side, but not the only one. And what is sold here? Well, leaving aside co-production deals, this is essentially a market of distribution rights within a particular territory.
Film sales agents, authorized by the films’ rights holders contact distributors, and do what humans have been doing in markets for many centuries.
Films we have never heard of; films which are only known, if at all, in their country of origin, or which are already a hit in the domestic box office; films which may not be fully finished or which are little more than a script and a production plan; titles of all sort of budgets and genres are sold to distribution companies on a national basis, for these companies to make them available to theatres; or to include them in an online catalogue, or… : it would be long to describe here all the possible deals and formats these agreements can take.
What is important is that, as a result of those deals, as in any business, someone will be putting money at risk betting on the success of a movie; someone will start to recover part of an investment thanks to a good sale; someone will obtain the final amount allowing the film to become reality: “pre-sales” are in many cases an way of financing the film itself.
Once the market is over, distributors from small, midsize or large companies will return home with some titles in their bags and the rights for their theatrical and/or online distribution (and even other options nowadays) within a particular country.
Once back, they will spend time and money, in the form of advertisement targeted to the particular audience and in the language of the country where the film is to be released.
Many months or a couple of years later, leaving aside piracy, some of those movies will fall into total oblivion. But others that started their commercial life in Berlin may have won some awards here and there, or may have been very successful at the box-office.
Then, viewer’s demand for them will grow; people will look for those titles online… only to discover that the film is not available for viewing in that particular country.
Geo-blocking, that is the word. Online catalogues are territorial, even within the EU, and what is perhaps already available in one member state is blocked for you as soon as the platform’s software discovers that your IP belongs to the other side of the border.
What? Outrageous‼ Wasn’t the EU supposed to be a single market? Is that only true for the offline world? This is a truly anti-European practice! Well, wait a minute. This is not the result of an evil plan against consumers.
This is just the natural consequence of those deals which started at the ground floor of the Martin-Gropius-Bau, or any other film markets in Europe and abroad. It is just the result of a complex business model which sustains the very existence of that film you want to watch.
If someone paid for the film rights in Belgium, that company naturally expects to recover that investment in the Belgian box-office or through a Belgian web platform.
And that would be complicated if the Belgian audience can watch online the film from the online distribution made possible by someone who purchased the online film’s rights for Austria or for Ireland. It could even be possible that a movie is already online in Ireland, before even having been released in theatres in Antwerp or Brussels.
The European Commission wants to change this state of things. Commissioner Oettinger travelled to Berlin on February 9 to proclaim again that message before an audience of 700 film professionals.
It was his first direct contact with the film industry in his political career:
“I want more choice for consumers. They should also benefit from the advantages of digitalization and be able to shop for more films across-borders”.
This is the mantra constantly repeated by EU Officials, even by Junker himself. As they sometimes make it sound, their ideal world is a European digital single market where consumers can watch what they want when they want from any country. It sounds so nice. But who will be paying for that? To whom? How?
Too often those same officials forget to say that it is also the Commission’s responsibility to ensure in such an idealistic scenario, viewers can keep watching European content. That is also their obligation, both political and legal obligation according to the Treaties.
A similar consideration can be applied to many Members of the European Parliament (although MEPs are certainly free to have an anti-European political agenda or one that attacks European interests if they wish so).
That means that the whole debate about “supressing borders” to online film viewing will only have any possibility of success if it is combined with a structural support to an evolution of the current chain of value and the whole European film industry source of income.
This is not about protecting old business models per se: everybody and everything must be adapted to the online world and to new habits of consumption. The current “media chronology”, for example, which sets the mandatory timing for movies consecutive windows from the theatrical release to laptop downloading or TV broadcasting, must be reviewed.
It is definitely too rigid. And so can be reviewed other issues, as it is the case for the situation of films which are just not available at all in one country as the demand is too small there, but are fully available somewhere else in Europe.
Those and other aspects will need to change, and the industry knows that. But who has the capacity to buy the distribution rights of a film for the territories of 28 Member states at the same time? Who can manage and care about those theatrical releases of one title from Palermo to Gdansk, dubbed or subtitled in Polish, Italian and all the other languages?
Can that be done with one single uniform marketing campaign? And can it be done simultaneously? The replies to those questions easily lead to the names of a few non European companies, and to the film titles those companies would be ready to invest in.
In other words: for too many people it is Europe’s cultural diversity that can be at risk here, if the current scheme of contracts and investments and payments, which keeps the industry alive, is just killed through the EU’s Official Journal before the European film industry has been transformed and alternative ways of monetising film production and film distribution have been put in place.
Innovation can bring – it is bringing already – new opportunities to those who risked their money for a beautiful film to exist in the first place. It is so interesting that almost at the very moment that Commissioner Oettinger was talking at the first floor of the Ritz Carlton hotel in Berlin, Netflix made the announcement that it is opening its service in Cuba, and promised to include a large amount of Cuban movies in its U.S. catalogue (and when possible in other countries).
This will not reach a wide audience in Cuba for now (according to the International Telecommunications Union the country had 5,360 fixed broadband subscribers in 2013 out of a population of about 11.3 million), but the symbol is there.
In approximately three years, an audience of tens of millions of viewers, in the US and abroad (and a few Cubans among them), will have access via Netflix to some of the best European films resulting from deals closed in Berlin in February 2015.
How big is the divide between the United States and Europe when we talk about data protection and cybersecurity? And what is at the basis of the current differences between the two regional players? Is it just Snowden and the NSA, or is it a deeper issue?
I had the privilege to contribute to the European perspective among a large group of experts attending an interesting exchange about this in Washington DC. What was supposed to be a conference on cybersecurity policy and regulation became an exchange on privacy and data.
It is difficult for the EU and the US to work together in the field of online and data security as long as we have those other open quarrels on privacy protection and the rules applicable to transatlantic transfer of data.
I was a bit surprised to realize that the whole data protection regulatory approach in the EU is observed with a mix of admiration and respect by US experts. And -interesting enough-, it is our model which is in the way of becoming a world standard among democracies.
Boit systems are clearly different: we have a structured piece of legislation on privacy in Europe (currently in full revision), with clear definitions of privacy related data, and clear rules about the rights and obligations related to the use of those data; all with clear authorities responsible of enforcing those measures.
In the US, the legal protection of online privacy results of a diversity of legal instruments, enforced by different agencies and authorities. This is combined with the importance given to self regulation by companies.
But is the demand for online privacy by citizens that different in Europe and the US? No, as a matter of fact it isn’t. Americans do want their privacy protected as well.
What is radically distinct among “us” and among “them” can be reduced to a word: trust.
[Tweet “Europeans do not trust their government’s management of data and will not give them a blank check”]
The Stasi, Ceaucescu, and many other personal experiences of authoritarian invasion of private life have taken their toll in the public perception of the risks of abuse of personal data. The US public does not have that memory. It is not a perceived risk. Definitely not in the mainstream public opinion.
And what about private companies? What part of Europeans’ mistrust against Facebook or Google is addressed to those two companies and their privacy policies, or is addressed to their potential collaboration with the US Government? Difficult to say.
But what appears to be clear is that a huge amount of Europeans request from their public authorities, including their European legislators and the European Commission, to assume an active role in protecting them from this external potential intrusion.
An intrusion which, in the public perception, comes from the United States: in part from its Government, in part from its huge corporations which control the largest part of our online digital life.
If this is true, then the current transatlantic difficulties regarding online privacy require a social approach, must deal with this citizen’s mistrust, and are not just a matter of technical negotiation between experts or burocrats on both sides of the Pond.
The matter will only be solved if this public trust is reinforced. US companies have a lot to lose if the transatlantic flow of private data is halted; if the “safe harbour” scheme -which currently regulates in which cases private data originated in Europe can be transferred to and filed in the US- is interrupted.
But we know well that this scheme is not working, and the threat to annul it is real (and it may be the Court of Justice who annuls it in the fist place). The Commission -under huge pressure from the parliament- is negotiating this with the US.
But this is not just a legalistic issue to be solved like a trade negotiation of battery standards. This is a problem with deep social roots. The sooner American decision makers -in Congress, in Government-, understand this; the more possible it will be to rebuild the indispensable trust on the part of Europeans.
And only with that trust in place we will be able to work together, US and EU, in the search of common answers to the essential common threats to our online and digital security.