Following the advice of its advocate general, the European Court of Justice (ECJ) on October 6 issued a ruling that immediately invalidated a 15-year-old program that allows U.S. companies to transfer personal data outside the European Economic Area (EEA) if they self-certify their compliance with privacy principles similar to those found in the EU Data Protection Directive. As a result, U.S. companies that are certified under the U.S.-EU Safe Harbor Program must find alternative ways to lawfully transfer personal data outside of the EEA.
The ECJ ruling overturned a 2000 decision by the European Commission, which found the Safe Harbor program, which is administered by the U.S. Department of Commerce and enforced by the U.S. Federal Trade Commission, provided adequate privacy protection in line with the Data Protection Directive.
"Businesses on both sides of the Atlantic are seriously concerned about the implications of today’s ruling,” wrote the U.S. Chamber of Commerce’s Myron Brilliant in a statement following the ruling. “More than 4,400 European and American companies of every size have relied on this agreement to be able to move data seamlessly across the transatlantic economy while providing a high standard of protection for consumers.”
A week earlier, the ECJ’s advocate general had issued an advisory opinion that the program should be ruled invalid. The opinion argued that EU citizens whose data is transferred to the United States may find that their privacy rights are violated because of “mass, indiscriminate surveillance” carried out by U.S. security agencies, and because there are no rights for EU citizens “to obtain access to or rectification or erasure of data, or administrative or judicial redress with regard to collection and further processing of their personal data taking place under the United States surveillance programs.”
According to the UK’s information commissioner’s office (ICO), EU regulators will give American businesses time to get new data transfer agreements in place. “The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law,” said David Smith, ICO deputy commissioner, in a statement. “We recognise that it will take them some time for them to do this.”
The ruling is expected to put significant pressure on the Obama administration to quickly complete a new agreement to update the program. The United States and the EU have been in negotiations since November 2013 following revelations that the U.S. National Security Agency was engaged in comprehensive surveillance practices that targeted European leaders and citizens.
A stumbling block in those negotiations has been the fact that U.S. citizens have the right to seek judicial redress in the EU in case of the misuse of their data transferred for law enforcement purposes, but EU citizens have no reciprocal right in the United States. However, on September 8, U.S. and EU officials tentatively approved a data protection umbrella agreement that will give EU citizens that right. In addition, the agreement includes provisions on purpose limitation, data retention periods, the right for individuals to access their data and seek rectification, and a prohibition of the onward transfer of data without the consent of authorities in the country in which the data originated.
To take effect, the umbrella agreement requires the approval of legislation by the United States. On September 17, the House Judiciary Committee approved a bill (H.R. 1428) to grant EU citizens limited access to U.S. courts for alleged government misuse of their personal data transferred to the United States.
The EJC’s ruling on the U.S.-EU Safe Harbor Program is expected to have expedited Congressional action in both the House and Senate. Once judicial redress for EU citizens in the United States is in place, the new agreement would have to be ratified by the European Parliament before formal adoption by the EU Council.
“Legislative action by the U.S. Congress establishing enforceable judicial redress rights for Europeans in the U.S. can open the door to closing the deal on the data protection umbrella agreement,” said European Commission Vice President Viviane Reding in a statement. “This is an important first step towards rebuilding trust in our transatlantic relations.”