Tag Archives: ECJ

E.U. Safe Harbor Deadline Nears – What Will Happen?

As the self imposed (by the E.U.) deadline (for coming up with a replacement for Safe harbor) of January 31st looms near, we don’t really know what is going to happen.  My guess is not much, but stay tuned.

The background is that when the European Court Of Justice struck down Safe Harbor last year, Working Party 29, the group responsible for cleaning up the mess in the aftermath of the ruling, created a deadline of January 31 of this year for a new agreement to be in place or else.  Or else what?  Not really clear.  What could happen is ALL that data transfer which was done under the old Safe Harbor agreement stops.  I don’t believe that will happen.

There are a lot of negotiations happening behind the scenes.

One critical piece, a U.S. law that gives E.U. residents the right to sue for redress in  U.S. court for privacy violations – a right that they do not have today and a right which the E.U. said was critical to not shutting down data transfer, passed a vote in a Senate committee.  Typically, there is a long and winding path between a committee vote and the President signing a bill into law, but still, this is a move in the right direction.  Do I think this will get signed by January 31?  No.

On the other side of the coin is the data sharing provisions (what used to be called CISA) in the recent budget bill.  Since the Senate took out many of the privacy provisions, some say that even if an agreement is signed, the ECJ might say that CISA is a huge hole in E.U. citizens’ privacy rights since the law says that you can’t sue companies if they share your private data with the NSA.  Oh, wait, companies share it with Homeland Security.  Who is free to share it with NSA, FBI, DoJ and a whole raft of three letter agencies.

The E.U. has basically approved the new data protection agreement for Europe called the General Data Protection Regulation or GDPR.  It is actually much stricter in terms of provisions than the old law.

I think February could be very interesting.

Information for this post came from The Register and Dark Reading.

EU Begins To Digest ECJ Privacy Agreement

The Article 29  Working Party (WP29), the group that is responsible for dealing with the fallout from the European Court of Justice invalidation of the Safe Harbor Agreement, met for the first time since the decision to start sorting things out.  For companies moving data between the U.S. and the E.U., there were some good things said and some not so good things.

Here is the news:

  • The Working Party thinks that it is essential that they have a robust, collective and common position.  For companies, this is good news. Like dealing with 50 state privacy laws here, dealing with 17 separate legal positions in Europe would be a killer.
  • The Working Party reiterated the court’s position on massive, indiscriminate data collection in the U.S. and said that this was incompatible with E.U. privacy laws.  They (continue to) ignore the massive and indiscriminate data collection done by European spy agencies.
  • The Working Party said that transfers of data to countries where the state authorities have too much power to access data will not be considered a safe destination for transfers.  That is a direct shot on the U.S. and NSA.
  • The Working Party asked the member states to urgently try and work out some sort of agreement with the U.S.  using political, legal and technical solutions.  Given that it took everyone two years to come to the agreement on the proposed new agreement that just got blown out of the water, I am not confident in everyone’s ability to create a whole new agreement quickly.
  • The Working Party will continue to look at other laws and agreements that may have been impacted by the court’s decision.
  • In the meantime, standard contract clauses and binding corporate rules can still be used but state data protection authorities can look at individual cases to stop transfers.
  • Any transfers taking place after the court’s decision based on the Safe Harbor agreement are unlawful.  That is, of course, a true statement, but it does not provide much wiggle room for U.S. companies to negotiate with.
  • And, finally, the Working Party set a deadline of January 31, 2016 for the E.U. and U.S. to come to some agreement.  That, in my opinion, is very aggressive and is a timetable that is not likely to be met.  They said if an agreement is not in place by that time, the data protection authorities are committed to taking all necessary and appropriate actions which may include shutting down data transfers.

Of course, the could change their mind tomorrow.  Or in January.  There is nothing carved in stone.

There is one thing that seems important and that is for the U.S. to pass a law allowing E.U. citizens to sue in U.S. court over privacy violations.  That requirement from the E.U. seems non-negotiable. That right does not exist today.  A bill is going to be introduced, but who knows where it will go after that.

What is clear that U.S. companies that transfer data from the E.U. have a lot of uncertainty and, apparently, a short time frame for two governments to come to some agreement.

I think we live in interesting times.


The WP29 press release can be found here.


European Court Of Justice Rules On Safe Harbor Agreement

As many people expected, the European Court Of Justice, the highest court controlling European Union law,  ruled in favor of Max Schrems and said that the Safe Habor Agreement, negotiated between the United States and the European Union  in the mid 1990s is invalid and does not provide EU citizens with the protections mandated by the EU data protection directive.

I am currently on a conference call with 2,000 other privacy professionals discussing the impact of this ruling.

The short version is that technically, many companies are now transferring data in violation of the law between Europe and the United States, but that executives should not panic.  Yet.

One part of the ruling is that the EU country data protection authorities (DPAs) do not have to bow down to the European Commission’s decision from the mid ’90s and MAY rule on whether adequate protections are in place – which then have to be referred to the European Court Of Justice, as Max Schrems did.

Another part of the ruling says that disclosures to law enforcement (read this as the NSA, FBI and others) needs to be necessary, proportionate and subject to judicial redress.  Needless to say, that is not what happens today.

It would seem to me that those same rules ought to apply to European surveillance activities, but I don’t think that court directive addresses that.

The US and EU have been working for two years trying to negotiate a new safe harbor agreement and last month initialed a form of agreement, pending the US passing new laws protecting the rights of EU citizens.  Given the ruling today, I assume that this agreement will need to be revisited.

The privacy experts are saying that companies that transfer data between the US and the EU need to start – like tomorrow – looking at their situation with expert counsel and planning the future.

They also point out that this particular judgement ONLY affects Max Schrems lawsuit against Facebook and does not invalidate all other agreements in the world.  It does, however, create a framework or standard for the EU country’s DPAs to assess other lawsuits.

I also expect, now that Schrems has a ruling in his favor, that other lawsuits will be filed.

The United Kingdom data protection authority said that THEY do not plan to shut down the Internet, that people should not panic, etc.

The experts expect that a lot of conversations will begin between the 28 data protection authorities, the European Commission and the United States.

Stay tuned,



strictly necessary, proportionate and subject to judicial redress

European Court Of Justice To Rule Next Week On Max Schrems’ Case

For those of you (all 3 of you) who follow European privacy law, you can skip this post.  The rest may find it interesting.

Max Schrems, who was an Austrian law student and now a lawyer has been battling Facebook in particular and claiming that they are violating E.U. law by their various privacy policies.  He has gone to a variety of courts and none of the courts have been willing to touch the case – I suspect due to politics.

Back in 2000, the U.S. and E.U. came up with this agreement called safe harbor agreement.  Supposedly, U.S. companies could transfer data from the E.U. to the U.S. to use if they agreed to abide by this agreement which was designed to protect European’s privacy rights.  The E.U. decided this was necessary because U.S.. privacy laws, in their view, are much weaker than E.U. laws.

Well, after trying to get someone to rule on the case, Schrems went to the European Court of Justice.

Based in large part on documents disclosed by Edward Snowden, Schrems claimed that because the U.S Intelligence community (like every other intelligence community in the world) vacuums up billions of items a day, U.S. companies had no way to comply with the safe harbor agreement.  Fundamentally, this is likely true.

The way the process works at the ECJ, they have an advisor, in the case a guy named Yves Bot review the case and make a recommendation.  Yves agreed with Schrems.  The court usually sides with the advisor.

Needless to say, this has the U.S. Mission to the E.U. scared to death.  If the safe harbor agreement gets shredded, then any U.S. company that wants to export data about E.U. residents to the U.S. will need to go through a somewhat convoluted process to convince the E.U. that they are protecting that data in a manner similar to the way E.U. companies do for their citizens.

This could also open many U.S. companies to lawsuits – likely in the E.U., because currently E.U. citizens cannot sue in U.S. court for things like privacy violations.  In fact, the U.S. and E.U. have a draft agreement to replace the 2000 agreement, but the E.U. is refusing to sign that new agreement until the U.S. passes a law allowing E.U. citizens to sue in U.S. court – something that has to  make it through Congress, which is no small task these days.

Of course, none of this changes the issues surrounding NSA snooping.  Curiously, the Intercept wrote a very detailed article that I will write about tomorrow talking about GCHQ (Britain’s equivalent of the NSA) doing the same kind of snooping the NSA does.  In fact, that is what all government intelligence agencies do.  The Internet is the go to place for terrorists, so you can’t exactly expect them to ignore it.

In any case, the ECJ has announced that they will rule on October 6th.  The U.S. Mission has asked them to ignore Mr. Bot and rule against Schrems and, basically, for the United States.  It is not at all clear which way this will go, but it is guaranteed that some people will be unhappy no matter what happens – there is no Solomon solution here.

Stay tuned for the details next week.