duquesne
Research Duquesne Advisory delivers in-depth analyses of Information and Communications Technologies, their implementations and their markets. Research is based on critical observation of the market by the analysts and their on-going contacts with the vendor community, together with hands-on, practical experience in consulting engagements.

Collapse of Safe Harbor: what happens next?


While nothing is certain in this messy situation, EU-US negotiations for a “Safe Harbor 2” will probably be “stuck between a rock and a hard place”: the high minded fundamental rights standards of the European Court of Justice and American political reality.

Our working hypothesis is that, by the end of the three month transition period, there will be no viable agreement that is acceptable to EU DPAs , and the likely consequences will be thoroughly unpleasant, especially for US Tech.


Safe Harbor becomes Pearl Harbor
Safe Harbor becomes Pearl Harbor
For the last fifteen years, the Safe Harbor program has provided a legal framework for the transfer of “personal data” by thousands of companies from EU countries to the United States.

Participants include Internet giants like Facebook, who regularly transfer massive volumes of private user data, as well as many “ordinary” American companies (and some Europeans), who centralize HR and customer data in US facilities in the everyday course of transatlantic business.

The sudden collapse of Safe Harbor in October of this year, precipitated by a landmark ruling on privacy and data protection from the European Court of Justice (ECJ), sent companies scrambling for alternative solutions and opened an unprecedented period of legal and regulatory uncertainty.

In an urgent meeting several days after the ruling, the Article 29 Working Party of EU data regulators agreed a transition period to the end of January 2016, but no one really knows what solutions can be put into place, or what will happen afterwards.

The writing on the wall

However sudden the collapse, it must be said that the writing has been on the wall for some time. Safe Harbor certainly furnished a convenient – even essential – legal framework for participating companies, but the claim that it provided any substantial protection to people for the privacy of their personal data – especially given the massive intrusiveness of US public authorities – is manifestly untrue. Worse still, everyone involved in the program knew it.

While the European Commission and the national regulators bear their share of responsibility in this sorry situation, to their credit they have been pushing negotiations with the US over the last two years for a more meaningful agreement. While some progress has been made, there is no agreement and the question of abusive access by public authorities remains a sticking point.

In a different but related issue, continuing US claims to jurisdiction over data stored in the European facilities of US service providers potentially could make matters worse. In Microsoft vs the US, the company has been fighting an entirely admirable battle with the US government over emails stored in its Dublin data center. If it loses again in federal court, European confidence in US Tech – and more broadly in the United States whenever data is involved – would take another big hit.

In short, the EU and the US appear to be heading for a high stakes showdown over personal data protection ... and how it will all play out is far from clear.
u[

How Safe Harbor collapsed

Personal data protection law in the EU

The 1995 EU Directive on personal data, which came into force in October 1998, forbids the transfer of personal data to a non EU country unless that country ensures “an adequate level of protection of the data”, which according to the ECJ means “a level of protection essentially equivalent to the fundamental rights and freedoms guaranteed within the European Union”.

The Directive also provides that the European Commission may issue a finding that a given non EU country ensures an adequate level of protection of personal data, as it did in July 2000 for the United States, on the basis of the "Safe Harbour Privacy Principles" and accompanying FAQs drawn up by the US Department of Commerce. The Commission's "Safe Harbor Decision" – taken prior to the Twin Towers attacks, the Patriot Act and the excesses of the American “war on terror” - provided the legal basis for a simplified complicance program under which companies could “self certify” that they respected EU standards of personal data protection and could therefore transfer such data to the United States.

Max Schrems v Facebook

In 2012, Max Schrems, an Austrian law student and Facebook user since 2008, lodged a complaint with the Irish Data Protection Commissioner (DPC) that his rights had been violated by the transfer of his personal data from the company’s European HQ in Ireland to the United States. He argued that - in the light of the mass surveillance carried out by US intelligence services, confirmed by the Snowden revelations - the law and practice of the United States did not offer sufficient protection against surveillance by the public authorities of data transferred to that country.

The Irish DPC rejected the complaint on the grounds that it lacked authority, given that the Commission, in its “Safe Harbor Decision”, had accepted that the US does ensure an adequate level of protection. Max Schrems promptly appealed to the Irish High Court which, in turn, referred the case to the European Court of Justice.

Landmark ECJ ruling on privacy and data protection in the EU

In a ruling based not only on the Data Protection Directive but also, importantly, on the Charter of Fundamental Rights of the European Union, the ECJ declared that the Commission’s “Safe Harbor Decision” was invalid.

In its legal reasoning, the Court first observed that the program was applicable solely to companies that adhered to it, and noted that “national security, public interest and law enforcement requirements of the United States prevail over the Safe Harbour scheme”, overriding any undertakings made by companies. The key issue for the Court, therefore, was not the theoretical promises made by companies participating in the Safe Harbor program but rather the reality of American law and practice in protecting personal data.

Concerning US mass surveillance legislation such as (but not limited to) the Patriot Act, the Court made two fundamental observations:
  • “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life”
  • “legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection (and) the existence of the rule of law.”

Of course, the ECJ makes no claim to jurisdiction over US legislation, but It does have the duty to examine US law and practice that could impact the rights of European citizens and to take such considerations into account in deciding on the validity of EU legal and regulatory decisions. In this case, the Court concluded that, since the program in question “enables interference, by United States public authorities, with the fundamental rights of persons”, the Commission’s “Safe Harbor Decision” must be declared invalid.

The Court also held that no provision of the Directive prevents oversight by national supervisory authorities of personal data transfers. Concluding the ruling, the Irish DPC was ordered to “examine Mr Schrems’ complaint with all due diligence” and “decide whether, pursuant to the Directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.”

With that final sentence, the Safe Harbor framework collapsed.

Safe Harbor 2 won’t be easy

International information flows are vital to the functioning of global business and even more critical to the fast growing digital economy largely driven by US Tech. As legal scholar Timothy Edgar wrote on the Lawfare site, “in the age of big data, it is unthinkable that the US and the EU can do business without routine transfers of personal data. The global economy depends on a new US-EU agreement that allows those transfers to take place – and that will stand up in European courts”.

A solution must be found but time is short, and it won’t be easy.

“Cultural” obstacles in the negotiations

In this upcoming transatlantic showdown, a persistent, underlying difficulty will be that the United States and Europe have very different visions of personal data protection and privacy. At the risk of overgeneralization, one could say that the American side tends to treat data protection as a consumer protection issue while Europe sees it through the lens of human rights. Europeans (especially in continental Europe) also see respect for private life as a fundamental right, a viewpoint which is less generally accepted in the United States, especially in matters of electronic privacy.

There are, of course, a good number of very admirable American defenders of electronic privacy, but there is also an influential school of thought which considers that privacy is an outdated concept. For example, in the original District Court ruling against Microsoft in the Dublin emails case, the judge approvingly quoted Professor Orin Kerr, a well known legal scholar, who wrote that “protections that apply in the physical world, and especially to one's home, might not apply to information communicated through the Internet." Professor Kerr went even further in a 2004 treatise, stating that an Internet user "does not have … any private space at all."


Legal and political difficulties

In addition to these fundamental US-EU differences in approach, there are also a least three specific factors that will make agreement difficult.

  • The ECJ set a very high standard for a solution

The ECJ based its reasoning not only on the Data Protection Directive but also in large part on EU constitutional law. The Directive could theoretically be amended by the Commission and the EU Parliament, but amending EU constitutional law would require treaty change, a virtually impossible option in this situation.

The former Safe Harbor program had many defects, for example lack of a compliance audit mechanism, which could be corrected. However, any new agreement would have to address the central EU constitutional issues raised by the Court: abusive access by public authorities to personal data and the impossibility for EU citizens to pursue legal remedies.

The Court did leave some “wiggle room”, in that it stopped short of declaring that the United States provided an inadequate level of protection of personal data, leaving that decision to Data Protection Authorities. Even so, any new agreement could (and probably would) be challenged before the ECJ, a reality that all of the negotiators should bear in mind.

  • Current “Safe Harbor” alternatives are not sufficient

The interdiction of personal data transfers to non EU countries with inadequate levels of protection is not absolute and total. Article 26 of the Directive provides derogations which should be applicable for daily business transactions with the US, just as they are used when transferring data to most other countries in the world. More specifically, the Directive does provide some mechanisms which potentially could be used as alternatives to Safe Harbor.

Some legal observers have suggested that an option for Internet B2C businesses, in line with Article 26(1)(a) of the Directive, would be to reinforce their “terms of use” with a “disclaimer” that required users to “consent” to international data transfers and, implicitly or explicitly, to US surveillance.

The problem with this approach, as Max Schrems himself explained in a blog post, lies in the EU’s strict rules under which “valid consent” has to be: freely given, specific, informed and unambiguous under the Data Directive. Facebook, for example, would have to say something specific and unambiguous to the effect that transferred data is open to NSA surveillance, the result being to hurt business and to run afoul of NSA gag rules. Even if it could find an acceptable formulation, making users choose between losing their personal data (photos, posts from friends, etc) and accepting US surveillance scarcely qualifies as consent that is freely given.

For B2B data transfers, Article 26(2) of the Directive also provides Contractual Solutions binding the exporter and the importer of the data including: Standard Contractual Clauses (SCC) issued by the Commission, and, with regard to multinational intra-group transfers, Binding Corporate Rules (BCR) authorized by national DPAs.

Unfortunately, as Pierstone, a well known legal firm specialized in IT, pointed out on its Web site: “the reasons for invalidating Safe Harbor, i.e. the breadth of U.S. government surveillance practices, may also be potentially applied to both SCC and BCR, i.e. the Safe Harbor alternatives.”

Without going into the legal details, SCC and BCR could well be a part of the solution in many cases but the compliant use of these mechanisms can be assessed by DPAs on a case-by-case basis. Again citing Max Schrems, “they will hardly stand a challenge before national Data Protection Authorities if the US recipient of personal data is subject to mass surveillance (e.g. when data is stored in the Apple, Google, Yahoo or Microsoft Cloud).”

  • A Safe Harbor 2 agreement would require changes in US law

US surveillance law and practice was the core issue in the collapse of Safe Harbor and, to pass muster with the ECJ, any new agreement would have to resolve the major concerns raised by the Court, namely, the possibility of abusive access by public authorities and the lack of judicial redress.

While the Obama administration has phased out the most egregious excesses, reaching a Safe Harbor 2 agreement would still require significant reform on the US side. Once again according to legal scholar Timothy Edgar: “The US must reform surveillance law...if it wants to restore safe harbor.”

With an election year coming up and the US Congress under the control of a Republican party essentially held hostage by its populist right wing, achieving such reform – worse still under outside pressure – looks for the present politically impossible.

What happens next?

The short answer is: no one really knows. The collapse of Safe Harbor has opened an unprecedented period of legal and regulatory uncertainty.

The EU and the US will try to negotiate a Safe Harbor 2 agreement, but negotiations will almost certainly be “stuck between a rock and a hard place”: the high minded fundamental rights standards of the European Court of Justice and the political impossibility for the US government to yield on intrusive surveillance. Of course, an interim agreement would be a tempting option, papering over the differences, saving face all around and hoping the problem will go away, but this sort of classic “Brussels fudge” would be very fragile: neither “ECJ proof” nor acceptable to the Republican held US Congress.

Under the current circumstances, our working hypothesis is that, by the end of the transition period even if extended several months, there will be no viable EU-US agreement, at least not one that would be accepted by EU DPAs. While nothing is certain in this messy situation we see at least four thoroughly unpleasant consequences:

  • Europe will no longer speak with one voice on data protection and privacy
National DPAs will have the initiative to investigate transfers of personal data to the US, determine whether the US provides an adequate level of protection and decide, on a case by case basis, whether they should be suspended. In similar circumstances, different national DPAs may come to completely different decisions.

  • International companies (especially American businesses) will have another big compliance headache
For daily business transactions, the basic Article 26 derogations should be applicable. For transfers typically covered by Safe Harbor, companies will need to employ alternative mechanisms such as SCCs (which are inflexible) and BCRs (which require a cumbersome approval process). Companies making such transfers will also need to ensure that their sub-contractors are in compliance. Any such arrangements, however, will be open to challenge by national DPAs, especially if the US recipient has been involved (willingly or unwillingly) in US mass surveillance.

  • Keeping European data in Europe will be a very serious option
Numerous reports have surfaced in the press about Tech companies considering the option of keeping European data in Europe, either directly or through a local partner. This sort of choice could involve significant investment and possibly the sacrifice of some of the business value in data, but it has the merit of simplicity. If transferring European personal data to the US is too much of a compliance headache, then just don’t do it.

  • US Tech will take a big hit
The big losers in this situation are likely to be American Tech companies, especially the B2C Internet giants that the US government essentially bludgeoned into its mass surveillance activities. For these companies, even keeping their EU data in Europe may not be enough, if Microsoft loses its brave and principled battle against US claims of jurisdiction over emails stored in its Dublin facilities. If their data is not safe anywhere with US Tech companies, European customers will look elsewhere.  

Conclusion

What is really at stake in this transatlantic data showdown is the future of the digital economy. Technology is indeed changing the world, more than ever and mostly for the better, but people have to be able to trust the technologies that they use and trust the companies that deliver them.

Safe Harbor was born fifteen years ago in happier times, before the Twin Towers attacks, the Patriot Act and the excesses of US mass surveillance. The program was never completely in line with the Data Protection Directive, but at that time there was an enormous reservoir of European confidence in the United States and in American technology. Much of that trust has been lost, as reflected in the collapse of Safe Harbor.

There is no quick fix for this sorry situation. In all likelihood, American companies doing business in Europe, and especially US Tech, are just going to have to live through a period of regulatory uncertainty and costly, cumbersome compliance. We can only hope that, at some point, a new and mutually acceptable agreement can be found, so that the European Union and the United States can rebuild the trust that is needed to make the transatlantic digital economy grow and flourish.

Monday, November 2nd 2015
Duquesne Advisory
Newsletter To subscribe to the Duquesne Advisory Newsletter, please enter your e-mail address.

Duquesne Advisory

Duquesne Advisory is a European firm, dedicated to researching, understanding and advising clients worldwide on opportunities and trends in Information and Communications technology.

Research

Duquesne Advisory delivers in-depth analyses of Information and Communications Technologies, their implementations and their markets. Research is based on critical observation of the market by the analysts and their on-going contacts with the vendor community, together with hands-on, practical experience in consulting engagements.

Consulting

The analysts of Duquesne Advisory leverage the Firm’s ongoing market and technology research to undertake high added value consulting engagements for both ICT users and ICT providers. Focused on client service, their approach is rigorous and methodical, and at the same time pragmatic and operational.