Tag Archives: Safe Harbor

Top EU Court Says ‘National Security’ Does Not Override Everything Else

This is not a done deal yet, but it is a very interesting development and one, if it holds, that could have significant impact on a lot of countries, including the U.S.

Over the last few years, a number of countries have enacted laws that allow their intelligence apparatuses to override many privacy laws and hoover up vast quantities of data without any particular justification – just in case.   They say that they don’t know what they might need – until they do.  And, there is some justification to that story.  Some.  Justification.

The EU high court, technically called the Court of Justice of the European Union or ECJ can appoint an advocate to advise it on matters where they feel that is  justified.

In this case, Privacy International, a privacy rights organization, sued both the UK and France, saying that their respective laws that require businesses to hand over anything they ask for just because they say the magic words “national security”.

Specifically, this case says that the UK’s Investigatory Powers Act (also referred to as the Snooper’s Charter) and France’s Data Retention law go too far.

What happened yesterday is that the Advocate General advising the high court released his opinion.

The opinion says screaming terrorist is insufficient to violate people’s rights under the European Directive on privacy and electronic communications.

Very importantly, the ECJ has not handed down it’s opinion yet;  this is just the advise from the AG.  HOWEVER, the ECJ does agree with the AG about 80 percent of the time.

*IF* the ECJ does agree with the AG, that will mean several things:

  1. UK’s Snooper’s Charter is likely illegal under EU law and will need to be revised if the UK wants to enforce it in the EU.
  2. Likely France’s Data Retention law would violate EU law.
  3. For those of us in the U.S., it would likely mean that the U.S. government’s use of large scale data vacuum cleaners also does not comply with E.U. law.

The AG said that whatever the government does by itself is OK IF IT IS INTENDED TO SAFEGUARD NATIONAL SECURITY AND IS UNDERTAKEN BY THE PUBLIC AUTHORITIES THEMSELVES, WITHOUT REQUIRING THE COOPERATION OF PRIVATE INDIVIDUALS.  So, for example, they could intercept data on fiber optic Internet cables but they can’t ask AT&T to let them tap those cables (which they did) and cannot ask Google or Facebook to hand over their encryption keys.

What the AG is saying is that rather than vacuuming up terabytes of data per hour, that hoovering needs to be done “on an exceptional and temporary basis” and only when justified by “overriding considerations relating to threats to public security or national security”.

When the U.K. leaves the E.U. – maybe this month – it doesn’t have to be bound by E.U. law, but if it doesn’t agree to abide by E.U. law, then companies in the E.U. will not be able to send data to the U.K. and U.K. companies will not be able to collect any data of E.U. residents.

Probably more important for U.S. companies is this.

A few years ago, when the E.U.  started enacting privacy laws, they said that laws in the U.S. were not adequate to protect the privacy of E.U. citizens so data collected by U.S. companies could not be sent to the U.S.

In response to that, the U.S. and E.U. came up with this agreement called Safe Harbor which supposedly protected the privacy rights of E.U. residents.

Unfortunately, this same court ruled that Safe Harbor didn’t really protect the rights of E.U. citizens.  This threw U.S. businesses that suck large quantities of data out of the E.U. into a bit of a tailspin.

After Safe Harbor was struck down, the U.S. got out a large tube of lipstick and put it on Safe Harbor.  The new agreement was called Privacy Shield and it is under review by this same court right now.

If the ECJ agrees with the AG in this different case, it seems like a REALLY small step to say that Privacy Shield doesn’t hack it either, which would create tailspin 2.0.

That would require that the U.S. and E.U. try a third time to come up with something that the courts will hold as adequate.

Various authorities have gotten their respective countries to pass laws that say as long as they claim “national security” privacy laws do not apply.  Countries who have done this include the U.S., U.K. and Australia, three of the “five eyes” countries.

This battle is far from over, but this is a very interesting development.  Source: The Register


US-EU Agree On New Data Privacy Rules But Hold The Champagne

UPDATE:  EU Commissioner for Justice made statements just before the agreement was approved indicating  that not everyone has signed up for this agreement.  Read Commissioner For Justice Vera Jourova’s comments here.

While the US and EU did not meet their targeted deadline of January 31st for coming up with a a replacement for Safe Harbor, they sort of came close.  But, apparently, there are still a number of hurdles to jump through.

First, the US and the European Commission agreed on February 2nd to a new agreement called Privacy Shield to replace the 15+ year old Safe Harbor Agreement.  However, they don’t have the final say on the agreement.

A next step is to get the Article 29 Working Party to agree to the agreement.  WP29 is a group of all 28 EU Nation’s Data Protection Authorities.  Their approval of this agreement is key to not having another court fight once this rule (if approved) goes into effect.  That is expected to take about 3 months.

Next, the Data Protection Authorities need to agree on what they are going to do in the mean time.  After the court struck down Safe Harbor, they agreed not to enforce the court ruling until January 31st so that the US and EU could come up with a replacement and so that they did not throw the thousands of businesses that used the Safe Harbor Agreement to transfer data between the US and EU into chaos.  That deadline  has passed.  I speculate that they will extend the moratorium, but that is anyone’s guess.

And, there is always the court to contend with.  Max Schrems could always go back to the court and say that this new agreement does not solve the problem.

Finally, the agreement requires the US to do certain things and my understanding is that those would have to happen before the agreement could go into effect.  One requirement that WP29 has already said must happen is that the US must pass a law giving EU residents a right to sue in US court for breaches of any agreement.  A bill to that affect is winding its way through Congress, but has not been passed by both Houses, reconciled or signed by the President.

While the diplomats may have signaled success by agreeing to the terms that they did, getting the 28 Data Protection Authorities to agree that these protections are sufficient is another matter.

While I have not seen the actual agreement, reports are that it calls for:

  • Clear safeguards and transparency obligations on the part of US government access.  I think this could be a challenge.  While the US has given the EU written assurances that data access will be limited, whether the gang of 28 believes the US or not could be key to getting the agreement approved.
  • Stronger obligations for US data importers to protect EU citizens’ data.
  • EU citizens must have effective rights of redress.  This includes requirements for the data importer to set up processes, the Federal Trade Commission to create a process for handling EU citizen complaints – something it has never done – and for the Intelligence Community to set up an independent ombudsman to address complaints of inappropriate access.

Some of these may require Congressional action – or not.  In any case, what is clear is that this is not over yet and US companies should not breathe a sigh of relief.  It is, however, a sign that progress is being made.

Information for this post came from the Data Protection Report.

E.U. Safe Harbor Deadline Nears – What Will Happen?

As the self imposed (by the E.U.) deadline (for coming up with a replacement for Safe harbor) of January 31st looms near, we don’t really know what is going to happen.  My guess is not much, but stay tuned.

The background is that when the European Court Of Justice struck down Safe Harbor last year, Working Party 29, the group responsible for cleaning up the mess in the aftermath of the ruling, created a deadline of January 31 of this year for a new agreement to be in place or else.  Or else what?  Not really clear.  What could happen is ALL that data transfer which was done under the old Safe Harbor agreement stops.  I don’t believe that will happen.

There are a lot of negotiations happening behind the scenes.

One critical piece, a U.S. law that gives E.U. residents the right to sue for redress in  U.S. court for privacy violations – a right that they do not have today and a right which the E.U. said was critical to not shutting down data transfer, passed a vote in a Senate committee.  Typically, there is a long and winding path between a committee vote and the President signing a bill into law, but still, this is a move in the right direction.  Do I think this will get signed by January 31?  No.

On the other side of the coin is the data sharing provisions (what used to be called CISA) in the recent budget bill.  Since the Senate took out many of the privacy provisions, some say that even if an agreement is signed, the ECJ might say that CISA is a huge hole in E.U. citizens’ privacy rights since the law says that you can’t sue companies if they share your private data with the NSA.  Oh, wait, companies share it with Homeland Security.  Who is free to share it with NSA, FBI, DoJ and a whole raft of three letter agencies.

The E.U. has basically approved the new data protection agreement for Europe called the General Data Protection Regulation or GDPR.  It is actually much stricter in terms of provisions than the old law.

I think February could be very interesting.

Information for this post came from The Register and Dark Reading.

ECJ-Safe Harbor Trickle Down Is Already Starting

First, the European Court of Justice (ECJ) rules that the 15 year old Safe Harbor agreement which allowed companies to transfer data between the E.U. and the U.S. was invalid.  Effective immediately.

Then the Article 29 Working Group (who is responsible for Safe Harbor) met and said that if the E.U. and U.S. don’t come up with a new agreement by the end of January, country data commissioners are free to start filing complaints and fining companies.

This week, the Israeli Law, Information and Technology Authority revoked its prior authorization to transfer data from Israel to the U.S.  There is a somewhat strange relationship between Israel and the E.U. which sort of makes it an honorary member of the E.U. and they had been using the Safe Harbor agreement as a way to justify transferring data from Israel to the U.S.  That is no more.

That means that companies that don’t have binding corporate rules or standard contract clauses that have been approved by at least two E.U. country data protection authorities (once you get to 2, you sort of have a free pass for the rest of the E.U.), can no longer transfer data between Israel and the U.S.

This means that U.S. Silicon Valley companies that have offices in Israel, Israeli companies owned by U.S. companies and Israeli companies that work closely with U.S. companies will need to figure out a new strategy or risk facing fines.

Since it can take 6-12 months to create and get approval for binding corporate rules, it is not like something you can change overnight.

Also, since the U.S. and E.U. have been working for two years on a new version of Safe Harbor which was really a minor tweak and now they likely have to reinvent Safe Harbor, I doubt it will be done by the end of January deadline.

While many very large companies were already concerned about this and have been working for a year or two to get Binding Corporate Rules or Standard Contract Clauses (like Facebook, for example) approved and in place, smaller companies likely have not done that and should now be in a full scale fire fight.

We do not now what the data protection commissioners are likely to do come February 1, 2016, but waiting to see is probably not a good strategy.

It will be interesting to see if there is other fallout before the January 31, 2016 deadline – stay tuned.

If you are a company that does transfer personally identifiable data between the U.S. and the E.U – or Israel, you should already be talking to legal counsel to see what you need to do to stay off the radar.


Information for this post came from IAPP.

EU Begins To Digest ECJ Privacy Agreement

The Article 29  Working Party (WP29), the group that is responsible for dealing with the fallout from the European Court of Justice invalidation of the Safe Harbor Agreement, met for the first time since the decision to start sorting things out.  For companies moving data between the U.S. and the E.U., there were some good things said and some not so good things.

Here is the news:

  • The Working Party thinks that it is essential that they have a robust, collective and common position.  For companies, this is good news. Like dealing with 50 state privacy laws here, dealing with 17 separate legal positions in Europe would be a killer.
  • The Working Party reiterated the court’s position on massive, indiscriminate data collection in the U.S. and said that this was incompatible with E.U. privacy laws.  They (continue to) ignore the massive and indiscriminate data collection done by European spy agencies.
  • The Working Party said that transfers of data to countries where the state authorities have too much power to access data will not be considered a safe destination for transfers.  That is a direct shot on the U.S. and NSA.
  • The Working Party asked the member states to urgently try and work out some sort of agreement with the U.S.  using political, legal and technical solutions.  Given that it took everyone two years to come to the agreement on the proposed new agreement that just got blown out of the water, I am not confident in everyone’s ability to create a whole new agreement quickly.
  • The Working Party will continue to look at other laws and agreements that may have been impacted by the court’s decision.
  • In the meantime, standard contract clauses and binding corporate rules can still be used but state data protection authorities can look at individual cases to stop transfers.
  • Any transfers taking place after the court’s decision based on the Safe Harbor agreement are unlawful.  That is, of course, a true statement, but it does not provide much wiggle room for U.S. companies to negotiate with.
  • And, finally, the Working Party set a deadline of January 31, 2016 for the E.U. and U.S. to come to some agreement.  That, in my opinion, is very aggressive and is a timetable that is not likely to be met.  They said if an agreement is not in place by that time, the data protection authorities are committed to taking all necessary and appropriate actions which may include shutting down data transfers.

Of course, the could change their mind tomorrow.  Or in January.  There is nothing carved in stone.

There is one thing that seems important and that is for the U.S. to pass a law allowing E.U. citizens to sue in U.S. court over privacy violations.  That requirement from the E.U. seems non-negotiable. That right does not exist today.  A bill is going to be introduced, but who knows where it will go after that.

What is clear that U.S. companies that transfer data from the E.U. have a lot of uncertainty and, apparently, a short time frame for two governments to come to some agreement.

I think we live in interesting times.


The WP29 press release can be found here.


European Court Of Justice To Rule Next Week On Max Schrems’ Case

For those of you (all 3 of you) who follow European privacy law, you can skip this post.  The rest may find it interesting.

Max Schrems, who was an Austrian law student and now a lawyer has been battling Facebook in particular and claiming that they are violating E.U. law by their various privacy policies.  He has gone to a variety of courts and none of the courts have been willing to touch the case – I suspect due to politics.

Back in 2000, the U.S. and E.U. came up with this agreement called safe harbor agreement.  Supposedly, U.S. companies could transfer data from the E.U. to the U.S. to use if they agreed to abide by this agreement which was designed to protect European’s privacy rights.  The E.U. decided this was necessary because U.S.. privacy laws, in their view, are much weaker than E.U. laws.

Well, after trying to get someone to rule on the case, Schrems went to the European Court of Justice.

Based in large part on documents disclosed by Edward Snowden, Schrems claimed that because the U.S Intelligence community (like every other intelligence community in the world) vacuums up billions of items a day, U.S. companies had no way to comply with the safe harbor agreement.  Fundamentally, this is likely true.

The way the process works at the ECJ, they have an advisor, in the case a guy named Yves Bot review the case and make a recommendation.  Yves agreed with Schrems.  The court usually sides with the advisor.

Needless to say, this has the U.S. Mission to the E.U. scared to death.  If the safe harbor agreement gets shredded, then any U.S. company that wants to export data about E.U. residents to the U.S. will need to go through a somewhat convoluted process to convince the E.U. that they are protecting that data in a manner similar to the way E.U. companies do for their citizens.

This could also open many U.S. companies to lawsuits – likely in the E.U., because currently E.U. citizens cannot sue in U.S. court for things like privacy violations.  In fact, the U.S. and E.U. have a draft agreement to replace the 2000 agreement, but the E.U. is refusing to sign that new agreement until the U.S. passes a law allowing E.U. citizens to sue in U.S. court – something that has to  make it through Congress, which is no small task these days.

Of course, none of this changes the issues surrounding NSA snooping.  Curiously, the Intercept wrote a very detailed article that I will write about tomorrow talking about GCHQ (Britain’s equivalent of the NSA) doing the same kind of snooping the NSA does.  In fact, that is what all government intelligence agencies do.  The Internet is the go to place for terrorists, so you can’t exactly expect them to ignore it.

In any case, the ECJ has announced that they will rule on October 6th.  The U.S. Mission has asked them to ignore Mr. Bot and rule against Schrems and, basically, for the United States.  It is not at all clear which way this will go, but it is guaranteed that some people will be unhappy no matter what happens – there is no Solomon solution here.

Stay tuned for the details next week.