Safe Harbor in Troubled Waters

On Tuesday, February 2, 2016, the United States and the European Union announced a new transatlantic “safe harbor” data transfer deal that would allow companies with significant online operations to continue to transfer data between the United States and Europe. This agreement would cover both tech firms like Google, Facebook, Yahoo and Amazon, and non-tech companies like General Motors. However, only a day later, European privacy agencies were expressing skepticism on whether the new agreement, the EU-US Privacy Shield, would adequately protect individual personal information.

This skepticism regarding the viability of the EU-US Privacy Shield results from an October 6, 2015 decision of the Court of Justice for the European Union, which invalidated a Safe Harbor Decision because “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.” The privacy concerns surrounding that opinion started when an Irish citizen and Facebook user complained that “in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country.” So what are European privacy agencies concerned about now? As the New York Times reported, “[t]he primary concern is how much access American intelligence agencies will have to European citizens’ personal information.”

And therein lays the significant confusion and uncertainty regarding the viability of the UE-US Privacy Shield. Until a deal that sufficiently addresses the concerns of the European national privacy agencies is reached, companies with strong transatlantic online presences cannot be confident that the Privacy Shield will be deemed legal by the European Court of Justice. And as some have reported, American and European officials are at odds on the legality of continuing online data transfers between the United States and Europe. So, for example, Commissioner Julie Brill of the United States Federal Trade Commission expressed her belief that European data authorities will not initiate enforcement actions against companies that continue to operate under the invalidated safe harbor deal previously in place (or presumably the UE-US Privacy Shield). But Isabelle Falque-Pierrotin, chairwoman of a group that comprises the data protection authorities of each of the 28 EU member states, has opined that if a company is operating under the former safe harbor provisions, they do so illegally. Until the issue is fully resolved, companies whose operations rely on the ability to transfer data across United States and European borders face an uncertain future.