European Court of Justice Strikes Down Data Transfer Agreement Between United States and European Union

Oct 7, 2015

Reading Time : 4 min

By: Davina Garrod, Natasha G. Kohne, Michelle A. Reed, Hal S. Shapiro, Francine E. Friedman, Jo-Ellyn Sakowitz Klein, Matthew Thomas (Senior Public Policy Specialist), David S. Turetsky, Visiting Professor, College of Emergency Preparedness, Homeland Security, and Cybersecurity at the University of Albany

The U.S.-EU Safe Harbor was agreed to in 2000 after the EU found that the United States did not meet the EU “adequacy” standard for privacy protection pursuant to the European Commission’s Directive on Data Protection. In order to provide a way for U.S. organizations to satisfy the Directive’s adequacy requirement, the U.S. Department of Commerce, in consultation with the European Commission, developed the Safe Harbor Framework. Under the Framework, once self-certifying that they were compliant with the Framework, U.S. businesses were deemed to provide adequate privacy protection and were authorized to transfer data to and from the EU. Also significant, claims brought by EU citizens against U.S. organizations that are participants in the Safe Harbor program will be heard in the United States.

However, in recent years, the U.S.-EU Safe Harbor has been criticized by many, resulting in protracted negotiations between the European Commission and the United States regarding an updated Framework for data transfer. Moreover, revelations regarding U.S. security practices have given rise to legal challenges to Safe Harbor, such as the 2013 complaint regarding Facebook’s compliance with EU data privacy rules that led to the October 6 holding. When that complaint was rejected by the Irish data protection authority on the basis that it was bound by the Framework, the plaintiff appealed to the European Court of Justice, which determined that the Irish Authority not only had the right to investigate, but must do so. In the wake of this ruling, data protection regulators in each of the EU’s 28 countries will have oversight over how companies collect and use online information of their countries’ citizens. Many European countries have widely varying stances toward privacy; for example, the U.K. and German approaches differ greatly. While, generally, there has been a movement toward harmonization of national privacy rules, the October 6 ruling may delay such progress.

This decision by the European Court of Justice is likely not the final word on this issue. In the United States, Commerce Secretary Penny Pritzker decried the ruling, stating that she was disappointed in the European court’s decision, which “puts at risk the thriving transatlantic digital economy.” Pritzker’s comments were echoed by lawmakers on both sides of the aisle. Several Republican members, including Senate Commerce Committee Chairman John Thune (R-SD), also expressed disappointment in the decision and urged negotiators to reach a new, updated data-sharing agreement. Sen. Ron Wyden (D-OR) said that the decision was “misguided” and would unfairly impact U.S. businesses. Secretary Pritzker has said that, despite the ruling and its negative impact on U.S. businesses, the United States will continue to work with EU officials to update the Framework.

In the EU, Frans Timmermans, the first vice president for the European Commission, which will be charged with carrying out the ruling, attempted to ease the concerns of companies by stating that businesses could still move European data to the United States through other existing methods. However, there are concerns about the continued validity of these approaches as well, in light of the October 6 ruling.

Key Takeaways

Although the October 6 decision does not order an immediate end to personal data transfers, it does allow national regulators to suspend them on the basis that they do not provide sufficient privacy protections. This will affect the approximately 4,500 companies that currently use U.S.-EU Safe Harbor to transfer payroll, human resources and other data from the EU to the United States or vice versa, and/or store that data on cloud services in the United States. As a result of the October 6 ruling, firms that wish to store Europeans’ data in the United States or transfer that data to Europe will need to set up alternate arrangements and prepare for challenges from the European regulators. This may be an especially complex exercise in light of potentially differing approaches to data flows in the EU. Additionally, even private disputes brought against U.S. companies related to data privacy issues may no longer be heard in the United States, subjecting companies to litigation oversees. Akin Gump Strauss Hauer & Feld lawyers can help businesses navigate the implications of the October 6 ruling, including ensuring that businesses are in compliance with the relevant EU data protection regulations.

Contact Information

If you have any questions concerning this alert, please contact:

Davina Garrod
Partner
davina.garrod@akingump.com
+44 20.7661.5480
London

Natasha G. Kohne
Partner
nkohne@akingump.com
+971 2.406.8520
Abu Dhabi

Michelle A. Reed
Partner
mreed@akingump.com
+1 214.969.2713
Dallas

David S. Turetsky
Partner
dturetsky@akingump.com
+1 202.887.4074
Washington, D.C.

Hal S. Shapiro
Partner
hshapiro@akingump.com
+1 202.887.4053
Washington, D.C.

Francine E. Friedman
Senior Policy Counsel
ffriedman@akingump.com
+1 202.887.4143
Washington, D.C.

Jo-Ellyn Sakowitz Klein
Senior Counsel
jsklein@akingump.com
+1 202.887.4220
Washington, D.C.

Isabelle R. Gold
Counsel
igold@akingump.com
+1 212.872.7482
New York

Matthew Thomas
Senior Public Policy Specialist
mthomas@akingump.com
+1 212.872.1000
New York

 

Share This Insight

Previous Entries

Akin Deal Diary

April 12, 2023

Read More

Akin Deal Diary

2022-12-15

On December 14, 2022, the Securities and Exchange Commission (SEC) adopted amendments regarding Rule 10b5-1 insider trading plans and related disclosures. The amendments aim to strengthen investor protections concerning insider trading and to help shareholders understand when and how insiders are trading in securities for which they may at times have material nonpublic information (MNPI). In light of these amendments, issuers should review and revise, if needed, their insider trading policies and equity grant policies.

Read more.

...

Read More

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.