European Court of Justice

Subscribe to European Court of Justice

Welcome to the first Monday in October!

The big issue for this week is tomorrow’s impending decision from the European Court of Justice in the Schrems v. Facebook Safe Harbor matter.

What will be the implications of this decision? How can you, as a company, navigate these waters?

Last week in this space, we advised companies who rely on Safe Harbor for their EEA-to-US data transfers to get a contingency plan in place without delay. On Wednesday, we will present an emergency PrivacyMonday_Image1webinar to discuss the ECJ’s opinion and planning for moving forward.

REGISTRATION IS NOW OPEN

Since the Snowden revelations, trouble has been brewing for the EU-US Safe Harbor program and companies which utilize this program to make transfers of personal information from the EU to the US legal under EU privacy laws. On October 6, the uncertainty generated last week by Advocate General Yves Bot’s opinion invalidating Safe Harbor will come to an end as the European Court of Justice (ECJ) will release its decision in the Schrems Safe Harbor case. It is highly unusual for the ECJ to issue a decision so quickly after publication of the Advocate General’s opinion on a case. However, the ECJ seems to be expediting its decision process. (See the Wall Street Journal’s summary of the usual process here.)

What will be the implications of this decision? How can you, as a company, navigate these waters?

Last week in this space, we advised companies who rely on Safe Harbor for their EEA-to-US data transfers to get a contingency plan in place without delay. This week, we are urging the same and providing this Emergency Webinar to better assist.

REGISTRATION IS NOW OPEN

 

 

The European Court of Justice (ECJ) has announced that it will release its decision in the Schrems Safe Harbor case on Tuesday, October 6.  It is highly unusual for the ECJ to issue a decision so quickly after publication of the Advocate General’s opinion on a case.  However, the ECJ seems to be expediting its decision process.  (See the Wall Street Journal’s summary of the usual process here.)

One way or another, the uncertainty generated last week by Advocate General Yves Bot’s opinion invalidating Safe Harbor will come to an end soon.  Last week we advised companies who rely on Safe Harbor for their EEA-to-US data transfers to get a contingency plan in place without delay.  Now, it’s urgent.

 

 

Does your company rely on Safe Harbor to transfer personal data from Europe to the US?  If so, it’s time to think about alternatives to Safe Harbor – and fast.

The European Union’s Data Protection Directive (1998) prohibits the transfer of personal information outside of the European Economic Area unless the receiving country ensures an adequate level of privacy protection.  Soon after the Directive was passed, the European Commission determined that the US doesn’t offer adequate levels of protection.  The EU and the US negotiated the Safe Harbor agreement in 2000 to allow US companies to self-certify that they provide protections that are equivalent to the requirements of the Data Protection Directive.

Currently, over 4,000 US companies rely on the EU-US Safe Harbor program to make their transfer of personal data from the EU to the US legal under European privacy laws.  But in light of the opinion issued today by ECJ Advocate General Yves Bot in the Schrems case, there’s a very high risk that the Safe Harbor program will be invalidated by the European Court of Justice, which is the EU’s highest court.  The AG found that the Commission’s decision (made 15 years ago) that the US-EU Safe Harbor program offers an adequate level of protection to personal data of EU residents was invalid in light of what is now known (largely through Edward Snowden’s disclosures) about the transfer of personal information from companies such as Facebook Ireland to the NSA under the PRISM intelligence program.

The ECJ will issue its ruling on the Schrems case before the end of 2015, and possibly sooner.  The ECJ does not have to adopt the Advocate General’s opinion, but it usually does (with the Google Spain case being a notable exception).  All of this is against the backdrop of negotiations between the European Commission and the US government for reforms to the Safe Harbor program and its enforcement by the US.

So if your company relies exclusively on Safe Harbor as the basis for its transfer of personal data from the EU to the US, it’s time to start considering other bases for the transfer.  The other options are:

  • Consent of the data subject to the transfer. In most circumstances, the consent needs to be explicit and fully informed to be valid.  It’s also important to keep records of the consent in case there’s a challenge.
  • Binding corporate rules for intragroup transfers. BCRs need to be approved by the relevant national information commissioners, and this is a lengthy process (potentially 18 months or more).  So while this is a longer term option, it won’t help if the ECJ invalidates Safe Harbor within the next few months.
  • Contracts between the exporting and receiving entities. The European Commission has provided model clauses that can be incorporated into agreements to ensure adequate protection of the transferred personal data
  • In the UK, companies may be able to make their own adequacy determinations under guidance issued by the UK’s Information Commissioner’s Office

However, there’s a very important caveat that would apply to all of these alternatives except possibly the data subject consent option:  BCRs and contracts require the data recipients essentially to promise that the data will be protected to the same level as in the EU.  If your company could receive a subpoena from the NSA or other US government agency to disclose the personal data of EU residents, then the BCRs and contracts would presumably face the same weakness that the Safe Harbor faces: a fundamental incompatibility between EU data protection law and the powers of US government agencies to conduct intelligence operations and require US companies to comply.

The larger question of the international conflict between protecting privacy and enabling intelligence activities aimed at increasing the safety of the public (and, potentially, various other national interests) is a matter for the relevant governments to negotiate – but in the meantime, US companies that rely on Safe Harbor look to be stuck in a hard place.

Please contact Susan Foster or Cynthia Larose at Mintz Levin if you would like advice on steps to take to mitigate your company’s risks in light of the threat to the Safe Harbor program’s existence.

 

 

 

 

Written by Susan Foster, Solicitor England & Wales/Admitted in California

 (LONDON) Could the European Court of Justice’s May 13, 2014 Google Spain decision delay the adoption of the EU Data Protection Regulation?

In the Google Spain “Right to be Forgotten” case, the ECJ held that Google must remove links to a newspaper article containing properly published information about a Spanish individual on the basis that the information is no longer relevant.  The Google Spain decision has given a much sharper focus to the discussion about the Right to be Forgotten that may soon be adopted as part of the new Data Protection Regulation that is expected to be passed sometime in 2015.  With the advent of the Google Spain decision, an issue that was on the sideline for most businesses – and which was expected by some to be quietly dropped from the draft Data Protection Regulation – has become a hot political issue.  The Right to be Forgotten as interpreted by the ECJ has garnered international attention, deepened the UK/continental EU divide, and ultimately could delay the adoption of a final form of the Data Protection Regulation.

The Google Spain case has been controversial for various reasons.  The decision takes an expansive approach to the long-arm reach of EU data protection law.  It holds search engine providers liable to comply with removal requests even when the information in the search results is true, was originally published legally and can continue to be made available by the original website.  The decision makes the search engine provider the initial arbiter of whether the individual’s right to have his or her information removed from publically available search results is outweighed by the public’s interest in access to that information.   (For a pithy analysis of the “public record” aspects of the case, see John Gapper’s “Google should not erase the web’s memory” published in the Financial Times.)

Continue Reading Google, the House of Lords and the timing of the EU Data Protection Regulation

Written by Susan Foster, Solicitor England & Wales/Admitted in California

 (LONDON) Google – along with the rest of us – is still considering the implications of the European Court of Justice’s May 13, 2014 decision that Google must remove links to a newspaper article containing properly published information about a Spanish individual on the basis that the information is no longer relevant or accurate.  This decision by Europe’s highest court is unappealable, so the Google Spain case is law throughout the European Economic Area (EEA) until changed by legislation (unlikely) or modified by the ECJ in a later decision (also unlikely).

To reach this conclusion, the ECJ found that:

  1.  Google is a data controller (and not merely a data processor) because it indexes information gleaned from the Internet in order to create its search results.
  2. The information in question (which had to do with a government order that a house be put up for auction due to its owner’s failure to pay certain taxes) is protected personal data despite the information having been properly published at the time of its initial publication. (Ironically, the Spanish newspaper that initially published the information was not required to remove the article – Google just can’t include the article in its search results.)
  3. Countervailing considerations such as the potential burden on Google that will arise from having to consider “right to be forgotten” requests and the interest of the public in having access to past public information are outweighed by the right of the individual to be forgotten.

From one perspective, this is just a search engine case, and the only companies that need to worry about it are search engine companies with some kind of business presence or technical facilities in Europe (which creates the nexus for the EU’s legal jurisdiction).  And of course, historians might be worried, along with anyone else who thinks that public information should stay publicly available to safeguard freedom of expression, or the integrity of the historical record, or the democratic process, or the like.  And EEA residents might even wonder what their life would be like if all search engines blocked off European results because the compliance burden outweighed the ad revenues – or, because, now that they are deemed to be data controllers, they couldn’t work out a way to comply with the Eighth Principle restricting transfers of personal data outside of the EEA . . .

No, the reasons that other (non-search) businesses, particularly in the US, should be concerned about the Google Spain decision are the following:

  • The EU notion of personal data is not the same as the US notion of private information.  It is far broader and includes information obtained from public sources as well as information that an individual has voluntarily disclosed to the world.  When you evaluate your company’s data collection and processing activities, you need to remember that, in Europe, personal data is virtually everything about, or written by, an individual, whether or not the information has already been made public.
  • The EU is unconcerned about imposing huge burdens on companies.  Well, at least it’s unconcerned about imposing huge burdens on large companies that aren’t headquartered in the EEA  – but it would be unwise to look at the Google Spain case as inherently exceptional.  There’s a draft Data Protection Regulation making its way through the EU legislative pipeline that will levy fines for breaches in the order of up to 5% of global turnover.   The draft Data Protection Regulation imposes very strict standards and processes on businesses that process personal data, and the Google Spain decision simply underscores that the balance of rights and interests in the EU is tipped firmly in the direction of the individual.  Message to business?  Get ready for the hammer.  The Google Spain decision shows where it’s going to strike.