Safe No More: Is the Sun Setting on the US-EU Data Privacy Law?

By: In: Information Management On: May 12, 2015
Safe No More: Is the Sun Setting on the US-EU Data Privacy Law?

*(Note: if you are a financial institution or telecom company and not regulated by the US Federal Trade Commission, you can relax now. None of this applies to you. But it’s going to be a pretty interesting read if you want to stick around anyway.)

Are you a US company that does business in Europe? Is your company considering expanding into the EU in the near future? If the answer to either of these questions is yes*, and if any of your business activities require you to transfer personal data about EU citizens to the US, then you should absolutely keep reading. Because right now in Europe, a lone activist is leading a very credible effort to take down the US Safe Harbor framework that is your company’s spring board into the multi-billion dollar European trade stream. To understand what is happening in Europe and how it affects both businesses and electronic data management here in the US, two basic questions need to be answered. First, what is “Safe Harbor,” and second, why is it so important?

If you manage electronic records that originate in Europe, then you are probably familiar with the term Safe Harbor. But if you aren’t familiar with it, the following mini-history lesson will get you up to speed. The right to privacy is, for Europeans, a fundamental and deeply-rooted human right. Privacy rights in Europe were enshrined in national law long before the mass electronic transfer of personal data became commonplace. In 1995, the EU published Data Protection Directive 95/46/EC to regulate and protect the privacy of its citizens with regard to the processing of personal data. The Directive prohibits any transfer of personal data to a country outside of the EU unless the destination country can ensure that the data will receive “adequate” protection. Speaking broadly, the US takes a comparatively laissez-faire approach to personal data and privacy. Because of this, the European Commission considers that existing US data privacy laws do not provide EU-standard data protection. To bridge the gulf between the two regulatory paradigms, the US-EU Safe Harbor Framework was created as a streamlined way for US companies to certify that they will handle personal data in accordance with the Directive and EU privacy laws.

Now for the second question—why is this so important? The nucleus of this story seems fairly unremarkable: nothing more, yet nothing less, than the electronic flow of personal data that quietly streams in almost incalculable volumes from Europe to America every single day. Personal data is not something that most of us spend a great deal of time thinking about, but it is a Big Topic (and a Big Asset) that is growing at a viral rate. When the Directive was issued in 1995, few people could have imagined the insanely lucrative commercial value of personal data in 2015, nor the exponentially-increasing warp speed with which personal data is now created and moved. If you are a US company that does business in Europe, but you use servers located in the US to process some or all of your data, European data will have to travel to the US for processing. However, barring a few exceptions, you would not be able to legally transmit any data that contains personal information about EU citizens to the US unless your company had officially joined the US-EU Safe Harbor program. In our techno-centric 21st century economy, the transatlantic flow of electronic data, and increasingly personal electronic data, is the life blood that supplies oxygen to much of the US-EU system of commerce. The Safe Harbor framework—a framework that underpins a huge and ever-increasing portion of the billions of dollars of trade between the US and EU—is the heart that keeps the data flowing.

Having established the context and the importance, we now turn to secrets, spies and surveillance programs. It is unusual for an article about a serious threat to transatlantic trade to have any legitimate basis for referencing what appears to be a haphazard mash-up of spy fiction clichés. But each of these tropes is a part of the frankly gripping real-world drama unfolding right now. And it all started with Edward Snowden. As most people know, in 2013 former NSA contractor and whistleblower Edward Snowden fled to Hong Kong with a laptop full of classified NSA documents, which he then deliberately leaked to the media and a horrified global audience. This data included details of the NSA’s top-secret PRISM surveillance program, which clandestinely collects internet communications from some of the US’s biggest internet service providers. As data were collected on both US and foreign nationals including Europeans, the Snowden revelations sparked outrage and controversy in Europe over the violation of personal privacy. Consequently, the Safe Harbor program was viewed with increasing suspicion, as the leaks called into doubt the ability of the framework to protect the privacy rights of Europeans. In response, the European Commission announced a review of Safe Harbor in 2013, but ultimately no decisive action was taken toward reversing or suspending the Safe Harbor program. As 2013, 2014, and then 2015 wore on with few concrete repercussions, the immediate threat to Safe Harbor appeared to diminish. This turned out to be a deceptive calm. Because even as the furor over Snowden’s revelations descended to a murmur, a young Austrian named Max Schrems was preparing to challenge both the institution of Safe Harbor and a giant of the techno-economy.

As a law student doing a semester abroad in California’s Silicon Valley, Max Schrems attended a lecture given by Facebook’s privacy attorney Ed Palmieri. From Schrem’s point of view, Palmieri’s talk seemed to reveal a surprising lack of understanding of European data protection laws. Schrems began to investigate Facebook’s privacy practices, and what he found only increased his doubts about Facebook’s compliance with European privacy and data protection laws. Edward Snowden’s leaks concerning the NSA’s PRISM program, and swirling rumors about Facebook’s alleged involvement in the program, caused Schrems to question the legality of the Safe Harbor framework. The apparent synergy between Facebook, Safe Harbor, PRISM and data privacy violations eventually formed the basis of the complaint that he filed against Facebook Ireland with the Irish Data Protection Commissioner in 2013. For procedural reasons, his complaint was ultimately referred up to the Court of Justice of the European Union (CJEU)—the EU’s highest court. On March 24, 2015, senior counsel for Schrems argued his case before the CJEU. Schrems’ position is nothing less than that the entire EU-US Safe Harbor framework is legally invalid. It is largely predicated on the continued existence and operation of NSA’s PRISM program and the mass surveillance and unauthorized collection of personal data conducted under its auspices. According to Schrems, this ongoing invasion of the privacy of European data subjects negates the possibility that Facebook or any other US Safe harbor certified company could guarantee the “adequate” protection that EU privacy law demands.

We don’t yet know how this story will end. CJEU Advocate-General Yves Bot’s nonbinding opinion on the case—the next chapter in this tale— is set to be published on June 24, 2015. The Court is expected to issue its final verdict sometime before October 2015. But even apart from this legal challenge, the trend in Europe is toward requiring non-EU companies to comply with increasingly stringent privacy protections. If the Court agrees with Schrems, it could be the tipping point that leads to Safe Harbor being partially, perhaps even totally, scuttled— and digitally based transatlantic trade could suffer a tremendous disruption. Alternate legal methods of transferring personal data between the EU and the US do exist, but these methods are complicated, expensive and time-consuming to implement. US businesses who are dependent upon their Safe Harbor certification to do business in Europe would be wise to put contingency plans into place now to avoid being forced to tread water in a sea of regulatory uncertainty until the EU either modifies or replaces the framework. Iron Mountain’s in-house experts in the EU data privacy space are ready to offer guidance to companies who need to build another layer of stability into their cross-border electronic data transfer and management operations.

If you’re planning to attend the upcoming MER2015 conference, reach out to Steve Formica ( for further information. In the meantime, be sure to stay tuned to Iron Mountain for the latest information on the future of Safe Harbor as it becomes available.

I would like to gratefully acknowledge the contribution of Michael Flaherty, LLB, and Michael Miller, LLB, both of whom generously shared their knowledge and expertise with me as I wrote this article. They are both experts in the EU Safe Harbor and Data Privacy space.

← A Successful Information Governance Program Requires a Championship Mentality and Approach An Ideal Match: Cloud and Record Retention Schedules →

Leave A Comment


About the author

Bethany Choi

Bethany Choi is a Legal Research Analyst with Iron Mountain’s consulting practice. She specializes in researching legal requirements for business records by industry and keeping abreast of regulatory developments that impact recordkeeping. She is also involved in the subsequent application of laws and regulations to client record retention schedules. She has been with Iron Mountain since 2007.