European Union’s Highest Court Says US Not Fit to Receive Personal Data.

Posted on by

The EU’s highest court recently invalidated the Safe Harbor agreement for data transfers (of personally identifiable information) between EU countries and the US. The Safe Harbor agreement was created to allow for the transfer of data between the EU and US notwithstanding the fact that the US data privacy laws and regulations are far less stringent than European ones. In the case of Maximillian Schrems v. Data Protection Commissioner, the EU high court said that the Safe Harbor work around solution was no longer viable.

In reaching this conclusion, the Court cited inadequate US safety protocols, which became apparent in the wake of the Edward Snowden revelations. Specifically, the Court stressed that the EU places much more emphasis on digital privacy as a fundamental right than the US does. Thus, the Court first held that “legislation [like what exists in the US] permitting the public authorities to have access on a generalized basis to the content of electronic communications” is a violation of the right to privacy contained in the EU Charter of Fundamental rights. Second, the Court found that companies needed to allow consumers to delete their digital footprints (a/k/a the right to be forgotten). Third, the Court held that consumers need more judicial access for data privacy violations to hold companies accountable (which is often not possible in the US because of the standing issues on which we have previously written). Because of these deficiencies, the Court ruled that the Safe Harbor agreement had to go.

So, why should you care? First, if you are an American company that conducts business in the EU (or a European company that conducts business in the US), you now have to be careful as to what data you share across borders. This gets interesting if, for example, you are a London based insurance company that transacts business in the US and that is embroiled in a bad faith lawsuit in the US. How, for example, can you now produce personnel jackets of employees (which are discoverable as a matter of course in a bad faith claim)? If you do, are you in violation of Schrems? If you don’t, are you guilty of contempt of court?

And what then of companies that are involved in litigation and have European operations (or parents). If they produce documents, are they subject to EU fines? If they don’t are they breaching the “cooperation” clause in a standard ISO based insurance policies?

Schrems does not answer these questions (and it does not seem that the dangers of US litigation was high on the Court’s list of concerns). But, the danger is real and the only solution would seemingly take place on the US federal level, that is, in Congress, which would have to enact federal legislation to address the issue. Anyone want to take any bets on whether that is likely to happen in this Congress?

Special thanks to Matt Care for his contributions to this post. For more information please e-mail Bob Cosgrove .