If one were to take a walk on one of the beaches on France\u2019s famed Riviera, he or she may assume that Americans value their privacy more than Europeans.\u00a0 However, a recent decision by European Court of Justice proves the contrary is true, at least for personal data.
\nRecently the European Court of Justice has called the European Union-United States Safe Harbor Framework into question.\u00a0 The Framework, which went into effect in 2000, aimed to make it easier for U.S. organizations to collect data about E.U. citizens.\u00a0 The decision leaves about 4,500 U.S. companies in a state of purgatory with their business operations relating to the data transfer of data about E.U. citizens.
\nThe story of the Safe Harbor framework starts in 1998 when the European Commission enacted its Directive on Data Protection.\u00a0 This directive prohibited the transfer of personal data from European Union members to third countries that do not provide, either through domestic legislation or international commitments, an \u201cadequate\u201d level of protection.\u00a0 In order to enforce the Directive on Data Protection, the European Commission, called upon all member-states to designate a public authority to monitor the national application of the Directive.
\nIn order for the U.S. to comply with E.U. Directive on Data Collection, the U.S. Department of Commerce in conjunction with the European Commission created the Safe Harbor Framework.\u00a0 The Safe Harbor Framework was meant to ensure that U.S. organizations receiving personal data from members of the E.U. would adhere to privacy standards essentially equivalent to those in the E.U.\u00a0 In order to receive data from the E.U. under the Safe Harbor Framework, a U.S. organization would have to publically declare that it would comply with the principles set forth by the Safe Harbor Framework.\u00a0 After an organization publicly announced its compliance, it could receive data from the E.U.
\nFast forward to 2013, an Austrian Facebook user named Maximilian Scherms filed a complaint with the monitoring authority in Ireland stating that the U.S. did not provide an adequate level protection for his personal data. (As a side note: Facebook\u2019s main European Server is in Ireland, so all Facebook data that gets transferred to the U.S., gets transferred to the U.S. from Ireland).\u00a0 The complaint was motivated by the Edward Snowden leaks, most notably about the NSA, that the laws and government of the United States do not adequately protect personal information from government surveillance.\u00a0\u00a0 The monitoring authority in Ireland dismissed the complaint stating that the European Commission had already written a decision stating that the United States did, in fact, provide an adequate level of privacy.
\nConsequently, Scherms brought suit before the Irish High Court, which handed the case up the European Court of Justice for a preliminary ruling.\u00a0 The ECJ found that the existence of a decision by the European Commission on whether or not a third country provides adequate privacy protections of personal data should not preclude the monitoring authority from investigating claims of whether a third country complies with the standards mentioned in the Directive.\u00a0 Thus, the ECJ gave the public authorities in the E.U.\u2019s member states the power to investigate claims that a third country does not give adequate privacy to personal data and suspend the transfer of data to those countries.
\nThe ECJ also called into question the European Commission\u2019s scrutiny of the Safe Harbor Framework. \u00a0It noted that the point of the Safe Harbor Framework was meant to ensure that the U.S. was providing a level of data protection essentially equivalent to that provided in the E.U. either by its domestic laws or it international obligations.
\nHowever, the ECJ never reached the question of whether the Safe Harbor framework provided an equivalent set of privacy protections. Instead, the ECJ found that only private entities were subject to the Safe Harbor Framework and that public entities were not.\u00a0 Further, the court made note that where there was a conflict between an organization\u2019s obligations to the Safe Harbor framework conflicted with the internal laws of the United States, the internal laws of the United States would prevail.\u00a0 Thus, if Congress or a government agency created a law or regulations conflicting with the principles set forth in the Safe Harbor Framework, the organization would act in accordance with the U.S. legislation or regulations.\u00a0 In effect, the Safe Harbor Framework might become illusory if Congress or an agency so decides.\u00a0 In that sense, the decision seems logical, especially given the ever-changing state of privacy laws in the United States.
\nHowever logical the ECJ\u2019s decision may seem, it leaves U.S. businesses scratching their heads.\u00a0 Before, the Safe Harbor Framework was fastest and most efficient means of acquiring data from Europe.\u00a0 Now, it\u2019s in a state of flux.<\/p>\n
At any time a monitoring authority may pull the plug on the Safe Harbor Framework.<\/p><\/blockquote>\n
\nSome companies have seen this coming and have used European Approved model contract clauses.\u00a0 It should be noted that these clauses limit the amount of personal data that a U.S. organization can receive.\u00a0 Also, the U.S. and Europe have been discussing a new Safe Harbor Framework II for almost two years.
\nThus, while the decision is certainly a blow to the Safe Harbor Framework and the organizations that rely on it, it should not be seen as definitive stop of data sharing between the U.S. and the E.U.\u00a0 There are still methods by which U.S. organizations can obtain personal data from Europe and it looks like a new safe harbor framework might be reached before the rug gets pulled out on the current one.<\/p>\n","protected":false},"excerpt":{"rendered":"If one were to take a walk on one of the beaches on France\u2019s famed Riviera, he or she may assume that Americans value their privacy more than Europeans.\u00a0 However, a recent decision by European Court of Justice proves the contrary is true, at least for personal data. Recently the European Court of Justice has …<\/a><\/p>\n","protected":false},"author":1,"featured_media":3706,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[51],"tags":[],"_links":{"self":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/3705"}],"collection":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/comments?post=3705"}],"version-history":[{"count":1,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/3705\/revisions"}],"predecessor-version":[{"id":7283,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/3705\/revisions\/7283"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media\/3706"}],"wp:attachment":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media?parent=3705"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/categories?post=3705"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/tags?post=3705"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}