Earlier today, the Court of Justice of the European Union (CJEU) announced its determination that the U.S.-EU Safe Harbor program is no longer a “safe” (i.e., legally valid) means for transferring personal data of EU residents from the European Union to the United States.
The CJEU determined that the European Commission’s 2000 decision (Safe Harbor Decision) validating the Safe Harbor program did not and “cannot eliminate or even reduce the powers” available to the data protection authority (DPA) of each EU member country. Specifically, the CJEU opinion states that a DPA can determine for itself whether the Safe Harbor program provides an “adequate” level of personal data protection (i.e., “a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union” as required by the EU Data Protection Directive (95/46/EC)).
The CJEU based its decision invalidating that Safe Harbor opinion in part on the determination that the U.S. government conducts “indiscriminate surveillance and interception carried out … on a large scale”.
The plaintiff in the case that gave rise to the CJEU opinion, Maximilian Schrems (see background below), issued his first public statement praising the CJEU for a decision that “clarifies that mass surveillance violates our fundamental rights.”
Schrems also made reference to the need for “reasonable legal redress,” referring to the U.S. Congress’ Judicial Redress Act of 2015. The Judicial Redress Act, which has bi-partisan support, would allow EU residents to bring civil actions in U.S. courts to address “unlawful disclosures of records maintained by an [U.S. government] agency.
Today’s CJEU opinion invalidating the Safe Harbor program follows on the September 23, 2015, opinion from the advocate general (AG) to the CJEU in connection with Maximilian Schrems vs. Data Protection Commissioner.
In June 2013, Maximilian Schrems, an Austrian student, filed a complaint with the Irish DPA. Schrems’ complaint related to the transfer of his personal data collected through his use of Facebook. Schrems’ Facebook data was transferred by Facebook Ireland to Facebook USA under the Safe Harbor program. The core claim in Schrems’ complaint is that the Safe Harbor program did not adequately protect his personal data, because Facebook USA is subject to U.S. government surveillance under the PRISM program.
The Irish DPA rejected Schrems’ complaint because Facebook was certified under the Safe Harbor Program. Schrems appealed to the High Court of Ireland, arguing that the Irish (or any other country’s) DPA has a duty to protect EU citizens against privacy violations, like access to their personal data as part of U.S. government surveillance. Since Schrems’ appeal relates to EU law (not solely Irish law), the Irish High Court referred Schrems’ appeal [...]
The Allegations and Order
According to this recent FTC complaint, Fantage.com failed to complete its annual recertification of Safe Harbor compliance but continued to make publically-available statements about its compliance with the U.S.-EU Safe Harbor Framework. From June 2011 (when the company made its initial self-certification) to January 2014 (when the company renewed its self-certification), the FTC examined the company’s privacy policies and online statements for representations concerning its Safe Harbor status.
In its complaint, the FTC alleged that the company, “…expressly or by implication…” misrepresented that it was a current participant in the Safe Harbor Framework when, from June 2012 until January 2014, its certification had lapsed. The FTC cited the following statement made on the company’s website as an example of the false and misleading representations:
“When we collect personal information from residents of the European Union, we follow the privacy principles of the U.S.-EU Safe Harbor Framework, which covers the transfer, collection, use, and retention of personal data from the European Union.”
While the FTC does not allege substantive violations of the Safe Harbor Framework, the sanctions that follow place compliance obligations on the company. The Settlement Agreement Containing Consent Order:
- enjoins Fantage.com from misrepresenting its compliance with any governmental or self-regulatory data privacy program for 20 years; and
- imposes on Fantage.com detailed record-keeping requirements for five years, including maintenance of records (i) for all advertisements or other statements containing representations about privacy program participation; (ii) all materials that form the basis for preparing such representations; and (iii) all materials that call into question the company’s compliance with the Order.
If Fantage.com violates the settlement agreement, the FTC is empowered to assess up to $11,000 per day in monetary penalties.
Based on these enforcement actions, any company that self-certifies under the U.S,-EU Safe Harbor Framework should immediately:
- check its certification status to ensure that it is marked “current” on the Department of Commerce website: https://safeharbor.export.gov/list.aspx;
- review any privacy policies and online statements referencing the Safe Harbor program to ensure that they properly reflect the status of their certification;
- institute a systemic [...]