Clarity Continues to Elude American Companies Regarding European Personal Data Collection

By Jack Koepke, Staff Member

Standard Contractual Clauses, a mechanism to transfer data from Europe used by American companies, is being threatened while the newest law protecting the privacy of European citizens is itself under scrutiny. If this mechanism is ruled to be in violation of European law, American companies will be unable to transfer data out of the European Union until an alternative is found.

The Safe Harbor Privacy Principles were a set of principles developed at the end of the twentieth century aimed at protecting private information of European citizens being lost, disclosed, or stolen from organizations and corporations that collect and store data.[1] In 2015, the United States and European Union discarded the Safe Harbor in reaction to revelations of United States intelligence community collecting data of European citizens.[2] In order to continue collecting this data, American companies had to certify that they met seven principles of data protection in order to use European citizen data.[3] Included among these principles are a requirement to provide notice, get consent, and have sufficient security, disclosures, and accountability.[4] If an American company sufficiently follows the requirements of the principles, it is able to continue collecting customer data in the European Union.[5]

The latest privacy protection for moving data across the Atlantic is the EU-US Privacy Shield.[6] This new agreement provides Europeans with some avenues to redress complaints about privacy and spying.[7] This agreement also creates a path for European citizens to sue companies in violation of the agreement in national courts. At the same time, this agreement has been criticized by some European detractors, and is already leading to challenges in European Courts.[8] Some detractors argue the independent instruments of redress are not independent at all, and that the restrictions on spying do not adequately restrict surveillance to sufficiently protect privacy.[9]

Now a new concern has arisen from the nullification of the Safe Harbor: While courts across Europe grapple with the validity of the Privacy Shield, the Irish High Court has taken issue with the concept of Standard Contractual Clauses,[10] an important mechanism for data transfer to the United States that has been approved by the European Commission as providing “adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards to the exercise of the corresponding rights.”[11] The Irish Court is referring the matter to the Court of Justice of the European Union (CJEU).[12] While the European Commission has determined that the clauses provide adequate safeguards,[13] the Irish Court has ruled that the CJEU must determine whether the clauses violate the European Charter of Fundamental Rights. The CJEU ruling will impact the way many companies collect data in the European Union. If the court rules the clauses are in violation of European Union law, American companies will need to find yet another way to collect and transfer data from the European Union.[14]

[1] William RM Long & Thomas Fearon, Schrems Judgment in the Irish Commercial Court Raises Concern over the “Model Contracts” for Transfer of Personal Data Out of Europe, Lexology (Nov. 5, 2017) https://www.lexology.com/library/detail.aspx?g=10cb692a-44a4-4496-86d1-8ccad2a529c4.

[2] Id.

[3] Case C-362/14, Schrems v. Data Protection Comm’n, 2015 ECLI:EU:C:2015:650 (Oct. 6, 2015).

[4] Anna E. Shimanek, Do You Want Milk with Those Cookies: Complying with the Safe Harbor Privacy Principles, 26 J. Corp. L. 455, 462-63 (2001)

[5] Id. at 473.

[6] Daniela Baches, BREXIT and the European Legal Framework of Data Protection: Implications on Security Cooperation and Information Sharing, 2017 Conf. Int’l Dr. 46, 49 (2017).

[7] Julia Fioretti, EU-US Personal Data Pact Faces Second Legal Challenge from Privacy Groups, Reuters, Nov. 2, 2016, http://www.reuters.com/article/us-eu-dataprotection-usa-idUSKBN12X253.

[8] Id.

[9] Id.

[10] Supra note 1.

[11] European Commission, Model Contracts for the Transfer of Personal Data to Third Countries, European Commission (Nov. 5, 2017, 12:40 PM), http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm.

[12] Supra note 1.

[13] Supra note 11.

[14] Supra note 1.