October 9, 2015
By Lokke Moerel and Miriam Wugmeister, Morrison & Foerster LLP
A landmark decision is expected on Tuesday by the European Court of Justice ("ECJ") on the validity of the EU-US Safe Harbor Framework as an adequacy mechanism for European companies to transfer personal information to U.S. companies. If the ECJ follows the Advocate General’s ("AG's") opinion issues on September 23, 2015, in this matter, this will have implications for the other data transfer mechanisms currently in place. The ruling could fundamentally change the way in which European organizations are able to conduct business globally.
The AG's opinion reaches two key conclusions: First, despite the fact that the European Commission ("EC") has determined that the Safe Harbor is adequate, each of the 28 Member State Data Protection Authorities ("DPAs") should be free to disregard that finding. This principle would apply equally to the other data transfer decisions and mechanisms. Thus, each DPA could disregard the decision of the EC that a country such as Canada or Argentina provides adequate protection for personal information or that the Standard Contractual Clauses ("SCC") are considered adequate to ensure protection of personal information. This will have serious consequences. Up until now, one of the real benefits of the EC's decisions is that they applied uniformly across the EU Member States. Thus, European organizations could rely on the fact that every DPA would honor the SCC or would agree that Israel provides an adequate level data protection. If the ECJ follows the reasoning of the AG, each DPA would be free to decide for itself which adequacy mechanisms are sufficient. This will create significant disruption for European companies that are seeking to protect personal information in a consistent manner when they are transferring their data outside of Europe, whether to their third-party service providers or within their group companies or to affiliates. The current draft of the European Privacy Regulation ("GDPR") will eliminate this issue as the GDPR will be directly applicable in all Member State DPAs, and they will not be able to make independent evaluations.
Second, the AG considers the U.S. Government's collection and use of personal information to be excessive. As a consequence, a company that receives personal information under the Safe Harbor is deemed to be unable to provide adequate protection of that personal information. When personal information is transferred to the U.S. based on SCC or Binding Corporate Rules ("BCR"), the U.S. government can access personal information in precisely the same way, making these transfer mechanisms subject to the same criticism. Moreover, this logic would apply to data transfers to countries other than the U.S. If the powers of the U.S. government are considered excessive, that would equally apply to those of many other important trading partners of the EU, such as China, Brazil, and India to name a few. If the ECJ or the EC were to determine that no transfer mechanism is available (because of a government's ability to access the personal information), that suggests that the only option for European companies would be to cease doing business with companies in that country. That cannot be the right result.
Although we understand the concern that in certain countries government powers are overbroad (those of some European Member States included), these issues should be addressed at the political level between countries. Invalidating data transfer mechanisms which govern data transfers between private companies puts these companies in an impossible position. It is passing the "hot potato" to parties that cannot influence nor control the outcome. Only the governments can address this issue.
It is worth noting that on September 8, 2015, the EC and the U.S. agreed on privacy safeguards to govern the exchange of personal information in the context of cooperation between law enforcement agencies. If the safeguards that the U.S. and the EC are willing to implement are adequate in the context of direct sharing of personal information between law enforcement authorities, surely those safeguards should also be adequate when U.S. companies transfer data to law enforcement. By not agreeing to these safeguards at the appropriate governmental level, companies are forced to either violate the European data protection rules and share the personal information as lawfully ordered by U.S. authorities, or they can refuse to share the information and be at risk of penalties of not responding to a lawful request from the U.S. government. This type of catch 22 situation will not be solved under the GDPR. The issue will only be exacerbated as violation of the European privacy rules will carry the risk of a fine of 2% of a company's global revenues.
We do not envy the data protection officers and company executives who will have to decide which law to break.