By Stephen Dockery
The Court of Justice of the European Union will soon take up the question of whether data management agreements between US and European companies satisfy the EU’s rigorous privacy standards after invalidating the previous international data transfer agreement years ago.
The Irish Commercial High Court decided last week that Standard Contractual Clauses that have been used for the handling of personal data transferred cross-continents need to be reviewed by the CJEU high court to see if they comport with European privacy protections.
Following revelations of American surveillance programs, the CJEU tossed out the data transfer framework known as Safe Harbor, which allowed for self-certification of privacy standards, on grounds that the privacy protections for European citizens could not be guaranteed under the agreement.
EU and US officials hammered out a new privacy agreement named Privacy Shield, which was announced last year after extensive negotiations.
The final decision of the CJEU, when it comes, should bring some legal certainty to the international business community after years of tumult in the wake of the invalidation of the Safe Harbor privacy agreement in 2015 and the adoption of a new privacy system called Privacy Shield.
Faced with the uncertainty of the new agreement many companies turned to standard contractual clauses to govern their international data handling operations in lieu of a tested privacy system.
Despite the new agreement, the legal landscape that underlies the judgment, which invalidated the Safe Harbor, largely remains unchanged. The interplay of EU rights legislation, such as the Charter of Fundamental Rights of the European Union, with US surveillance mechanisms including the Foreign Intelligence Surveillance Act, Executive Order 12333, and the PRISM collection program remains central.
The court resisted efforts to construe the Privacy Shield agreement as passing judgment of the adequacy of all American privacy laws and protections. Standard contractual clauses would likely need to withstand scrutiny on their own, the Irish Court said in its opinion.
“Only data transferred and processed in accordance with the very detailed provision set out in the Privacy Shield Decision and its Annexes is deemed to be adequately protected,” Justice Caroline Costello said.
The breadth of surveillance mechanisms in the United States and the lack of meaningful review of those processes drew the attention of the court.
“To my mind the arguments of the DPC (Data Protection Commissioner) that the laws—and indeed the practices of the United States do not respect the essence of the right to an effective remedy before an independent tribunal as guaranteed by Article 47 of the Charter, which applies to the data of all EU data subjects transferred to the United States, are well 133 founded,” Justice Costello wrote about the Charter of Fundamental Rights of the European Union.
The opinion draws attention back to some of the more intractable issues underlying American and European data transfers: The vast amounts of personal information that US surveillance agencies can scoop up backed by congressional and executive authority underlie much of the European resistance to American data transfer.
Those are issues that largely cannot be addressed by trade negotiations between the two bodies. Largely toothless restrictions from the Commerce department will not fundamentally alter the surveillance state in America and standard contractual clauses don’t directly benefit from the mechanisms created in Privacy Shield, so they may be even more susceptible to challenge.
Remedies for privacy invasion remained problematic as well.
Justice Costello called privacy protections in the U.S. “a complex web of constitutional law, sector specific federal statutes, state statutes and common law rules” to which EU citizens may not be able to avail themselves.
The CJEU will now be in the position of offering a uniform approach regarding the legitimacy of standard contractual clauses, offering certainty to companies who currently have to deal with individual data protection officers in each EU country.
The 153-page opinion was intensely briefed by both sides, focusing on the extent and permissiveness of American surveillance programs and the degree to which European citizens could redress privacy violations in the United States. A five-page executive summary of the judgment is also available.
Briefing on behalf of one of the parties challenging the data transfers was provided by the ACLU’s Ashley Gorski, the U.S. Department of Justice also filed a brief as an amicus curie.