Georgia Tech’s Peter Swire assesses the European ruling against the Safe Harbor Agreement
On October 6 the European Court of Justice (ECJ) invalidated the Safe Harbor Agreement, which facilitated transatlantic data flows, on the grounds that that “legislation permitting [American] public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.” The ECJ’s ruling also gave EU national and sub-national data-protection authorities the authority to evaluate individually whether Europe-wide deals provide sufficient safeguards for their citizens. This ruling puts in jeopardy the dense flow of data within companies from Europe to the U.S.
On October 14th Professor Swire spoke to an audience of about 40 undergraduate and graduate students and faculty from the Nunn School of International Affairs, the School of Literature, Media and Communication, the School of Interactive Computing, and the College of Business, as well as Georgia State’s Department of Communications. He began by charting the development of privacy protections in U.S. and Europe, noting that in the 1970s the U.S. had been the pace setter. In the 1980s the Regan Administration put less emphasis on privacy protections while the Europeans, as part of the effort to create the single market, sought to align national privacy protections. The 1995 Data Protection Directive primarily reflected the preferences of the member states with more stringent provisions. In order to prevent circumvention of these protections, the directive prohibits the export of data to jurisdictions that do not provide “adequate” levels of protection. Given the differences that had emerged between the European and American privacy regimes, the U.S. privacy regime was not considered adequate. The 2000 Safe Harbor Agreement — which enabled U.S. companies to voluntarily comply with a set of standards that the European Commission had accepted as adequate – was a key means of managing the disruptive effects of those regulatory differences.
Edward Snowden’s revelations about the extent of surveillance by the National Security Agency was the catalyst that disrupted this arrangement. They prompted the European Commission to review the Safe Harbor Agreement, which led to negotiations (not yet concluded) on amending it. They re-energized European efforts to strengthen its data privacy regime (also still underway). They served as a spur to Max Schrem’s legal challenge against FaceBook that ultimately led to the ECJ’s ruling.
Professor Swire identified two central features of the ECJ’s ruling. The first is the Right of Redress. Under EU law, citizens must have the right to appeal to an independent body if they feel that their privacy rights have been violated. This is the role of the Data Protection Authorities in the EU’s member states. The Fair Trade Commission plays this role under the Safe Harbor Agreement. The problem, as Swire described the Court’s ruling, is that the FTC does not have jurisdiction over U.S. surveillance activities. The second issue, with which Professor Swire took more issue, was the view that U.S. law does not provide adequate legal safeguards on surveillance of European citizens’ data that is stored in the U.S. Professor Swire disputed this assessment on two grounds. First, he argued that the U.S. provides more legal safeguards against surveillance in the U.S. than do almost all EU member states. Thus U.S. protections are actually more than adequate compared to European practice. Second, U.S. legal restrictions on surveillance apply only to data held in the U.S. Thus, Europeans’ data in the U.S. has more protections from U.S. surveillance than it does in Europe. Consequently, Swire argued, the ruling is based on a faulty understanding of the practice of surveillance in the U.S. and in Europe.
The challenge, however, is how to deal with the new legal reality. Professor Swire proposed a two-track approach. One relies on the practices for dealing with different privacy regimes that have grown-up alongside the Safe Harbor Agreement, notably binding corporate rule and model contracts, which are subject to review (and redress) by European Data Protection Authorities. The other, which models the approach that led to the Safe Harbor Agreement, would involve American and European officials exploring how they balance privacy and security concerns in practice in order to provide a fact-based assessment of equivalence on surveillance issues.
Professor Swire is Nancy J. and Lawrence P. Huang Professor of Law and Ethics in the Scheller College of Business and a Senior Counsel, Alston & Bird LLP. In the Clinton Administration he helped to negotiate the Safe Harbor Agreement and he recently served on President Obama’s Review Group on Intelligence and Communications Technology. You can read more about his assessment of the ECJ’s judgement here and of the changing balance between security and privacy in the U.S. here.
The event was co-hosted by Georgia Tech’s Jean Monnet Center of Excellence and Center for International Business Education and Research. Georgia Tech’s Jean Monnet Center of Excellence will be focusing to transatlantic privacy issues during the 2015-16 academic year.
The comments are Peter Swire’s alone and the European Commission cannot be held responsible for any use which may be made of the information provided.