On October 6, the European Court of Justice decided a case concerning Facebook users in the European Union (available here). The EU high court ruled that a 2000 EU Commission decision permitting personal data from the EU to be transferred to the United States was invalid, sending waves of uncertainty throughout the technology industry, particularly for SaaS vendors, hosting companies, and other service providers that collect, process or store personal data.
In 1995, the EU adopted Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, aimed at protecting the right to privacy of individuals while facilitating the free flow of information throughout and outside the EU. The Directive prohibits the transfer of personal data to any country outside the EU if that country does not provide “an adequate level of protection.” The EU provides stricter regulation of the use of personal data than the U.S., so in 2000, the Department of Commerce, in cooperation with the EU, issued the Safe Harbor Privacy Principles and FAQs, and a framework for companies to self-certify compliance. That same year, the EU Commission determined that companies in the United States provided an adequate level of protection if they complied with the Safe Harbor Privacy Principles and FAQs, subject to enforcement by the Federal Trade Commission.
In the case decided on October 6, the Court of Justice held that large-scale, indiscriminate surveillance activities by U.S. intelligence agencies accessing data held by Safe Harbor certified companies demonstrated that fundamental rights and freedoms, particularly the rights to respect for private life and effective judicial protection, are not adequately protected by the Safe Harbor framework. These intelligence activities are carried out in secret and provide no remedies for individuals to access, correct, or delete their personal data. When a law conflicts with the Safe Harbor Principles, the framework requires companies like Facebook, Google, and Yahoo to comply with the law, which resulted in the authorized “storage of all the personal data of all the persons whose data has been transferred from the European Union to the United states without any differentiation, limitation or exception being made in light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail.”
With the Safe Harbor agreement invalid, there are limited exceptions that would allow personal data about an individual to be transferred from the EU to the U.S. The transfer is permitted if the individual consents to such transfer, or if it is necessary to enter or fulfill a contract with the individual, to comply with a legal obligation, to protect the individual’s vital interests, to carry out public interest, or to pursue legitimate interests of the party transferring or receiving the transfer and such interest is not overridden by the individual’s fundamental rights and freedoms. This new, uncertain landscape will require companies to take a good look at the data they work with. Laws in the European Union take a broader view of what constitutes personal data, and include email addresses used to create an account, login credentials, IP addresses, location data from a mobile device, and other information that may relate to a person physically, financially, culturally or socially. Companies that merely receive data over the Internet but do not have an establishment in the EU may not be affected, but the bar for what constitutes an establishment is fairly low. In another judgment on October 1, the Court of Justice ruled that a company exercising only minimal activity through a stable arrangement in an EU country, even if just a single company representative, bank account, or postal address, could have an establishment in that country, making it subject to implementation of the Directive and the specific country’s laws. Data protection supervisors in each country can investigate, intervene, and engage in legal proceedings with respect to any personal data processed in the supervisor’s country, and may even investigate the processing of personal data in another EU country. Companies should tread carefully to consider what their presence in any EU country might be, what data they have access to, and through what authorizations they have such data to understand what the path ahead may look like.
In light of this topic’s importance for our clients, Baer Crossey McDemus will present a free webinar on the new reality of trans-Atlantic data privacy on November 3, 2015. Please email firstname.lastname@example.org for more information, or click here to register.