U.S. Privacy Safe Harbor—More Myths and Facts

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Lothar Determann

Lothar Determann practices data privacy law at Baker & McKenzie in Palo Alto, Calif., focusing on international data privacy law. He also teaches data privacy law at the University of California, Berkeley School of Law (Boalt Hall), UC Hastings College of the Law and Freie Universität Berlin. He has authored more than 100 articles and five books, including Determann's Field Guide to Data Privacy Law (2nd Ed. 2015) and California Privacy Law (2015).

On Oct. 6, the Court of Justice of the European Union (CJEU) invalidated a decision that the Commission of the European Communities issued 15 years ago. In Decision 2000/520 (Safe Harbor Adequacy Decision), the Commission had ruled that companies in the European Economic Area (EEA) may transfer personal data to U.S. companies that certify compliance with the Privacy Safe Harbor Principles and have registered with the U.S. Department of Commerce—unless and until data protection authorities suspend data flows based on privacy concerns. In its 2015 judgment, the CJEU held that such a decision by the Commission “does not prevent a supervisory authority of a Member State … from examining the claim of a person concerning … the processing of personal data … when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection”—which the Safe Harbor Adequacy Decision already acknowledged—and also that the Safe Harbor Adequacy Decision itself is invalid (194 Privacy Law Watch 194, 10/7/15)(14 PVLR 1825, 10/12/15).

The judgment is final, unappealable and remarkable. In the first of the two holdings that the Court issued, the Court ordered that data protection authorities must remain able to examine claims even though the Decision itself had already contemplated a right and duty of national data protection authorities to examine and suspend data transfers in cases of concerns. With this holding, the CJEU, formerly known as “the motor of European integration” de-harmonized EU data protection laws by shifting powers from the European Commission back to national data protection authorities to establish divergent national standards for international relations and foreign investment conditions. The Court also shifted power from the executive to the judiciary by asserting a right for the Court to measure a Commission decision of 2000 against changes in European constitutional law and developments in international espionage that took place after the Commission issued its original decision and that were hardly examined in the underlying case. The Court did so even though the Commission had already identified concerns itself and was close to addressing them with changes to the Safe Harbor Program.

Since Oct. 6, national data protection authorities in the EEA rushed to issue inconsistent and unclear guidance to local companies that do business with the U.S. Chaos ensued and numerous myths were added to ones that had previously surrounded the Safe Harbor Program:2

Myth: The Courts in Ireland and Luxembourg Had No Choice but to Challenge and Ultimately Invalidate the European Commission's Decision 2000/520/EC.3

The Irish High Court and the CJEU focus on a right and duty of individual data protection authorities to examine international data transfers in case of concerns regarding adequate protections for personal data in the recipient country. After the two courts' decisions, the Irish High Court ordered the Irish Data Commissioner to revisit the specific case that triggered the proceedings. This could have been done much more quickly and efficiently without invalidating the Safe Harbor Adequacy Decision. In 2000, the EU Commission had ordered in Article 3 of its Safe Harbor Adequacy Decision that “the competent authorities in Member States may exercise their existing powers to suspend data flows … in order to protect individuals with regard to the processing of their personal data.” The High Court in Ireland could have simply overturned the Irish Data Protection Commissioner's decision in the case at hand, finding it should have suspended data flows based on Article 3 of the Safe Harbor Adequacy Decision. Equally, the CJEU could have noted that the EU Commission already contemplated such data flow suspensions by national data protection authorities.

Myth: The Safe Harbor Was Invalidated.4

The U.S. Department of Commerce continues to operate the Safe Harbor Program at https://safeharbor.export.gov, the U.S. Federal Trade Commission continues to enforce Section 5 of the FTC Act and data protection authorities in the EEA can and should continue to consider its adequacy—as they have for 15 years now. Data protection authorities in the EEA are just no longer required to do so under the Safe Harbor Adequacy Decision, which was invalidated.

Myth: The Safe Harbor Was a Pact or Treaty Between the U.S. and Europe.5

The U.S. Department of Commerce decided to operate the Safe Harbor Program and the EU Commission decided to find it adequate, each by way of unilateral governmental acts, in consideration of an ongoing dialogue and agreement between close political allies and trading partners. Neither side has to date terminated any pacts or treaties or stopped trade or data flows in either direction.

Myth: Primarily Affected by the CJEU Judgment Are the U.S. Companies that Participate in the Safe Harbor Program (Currently About 4,500).6

U.S. companies do not need the Safe Harbor Program. They participate voluntarily. U.S. law imposes privacy compliance requirements on companies in the U.S. and in the EEA but U.S. law does not specifically restrict international data transfers.7 Neither U.S. nor EU law requires U.S. companies to certify adherence to the Privacy Safe Harbor Principles.

Primarily affected by the judgment are companies in the EEA that are doing business and exchanging data with U.S. companies in the Safe Harbor Program. Hundreds of thousands of companies in the EEA now have to consider guidance from local data protection authorities and potentially update their notices to data subjects, notifications to data protection authorities and possibly data transfer and processing agreements.8

Primarily affected by the ECJ judgment are companies in the EEA that are doing business and exchanging data with U.S. companies in the Safe Harbor Program.

Myth: Data Transfers to the U.S. Are Illegal.9

Fact is that companies in the EEA can continue to rely on the European Commission's adequacy decisions regarding Standard Contractual Clauses with respect to data transfers to the U.S. and other 150+ countries.10

For a few other countries, including Argentina, Canada and Israel, companies in the EEA can also rely on country-specific adequacy decisions. For now. Fact is also that the Commission's adequacy decisions regarding particular countries or Standard Contractual Clauses could be challenged on similar grounds as the Safe Harbor Adequacy Decision. Most countries in the world have less constitutional and statutory controls and restrictions on government surveillance than the U.S. do (including countries that have been whitelisted by adequacy decisions as well as some EEA Member States).

In any event, individuals in the EEA are free to send their data wherever they want, including to companies in the U.S. to use their popular online services.

Myth: U.S. Data Privacy Laws Are Not Adequate, Because They Are Not ‘Equivalent to That Guaranteed in the EU Legal Order.' 11

First of all, the EU Data Protection Directive (95/46/EC) requires “equivalence” only with respect to data protection laws in the EEA Member States, whose laws were harmonized by said Directive. With respect to other countries, the Directive requires “adequacy,” acknowledging that different legal systems can pursue quite different legal means and achieve adequate protections. The U.S. has traditionally prioritized civil litigation over administrative enforcement to contain bureaucracy and by many measures enforced its privacy laws more effectively than the EU has to date.

Second, if equivalence was in fact required, a closer examination of the “EU legal order” might well result in a finding that privacy protection in the U.S. is in fact equivalent to that in the European Union. EU law itself does not set clear standards due to the fact that the EU itself lacks legislative jurisdiction in national security matters. Article 13 I of the EU Data Protection Directive allows the EEA Member States to restrict privacy in the interest of national security, defense, public security and law enforcement and drafts of a new EU Data Protection Regulation contain similar carve-outs. At the national level, EEA Member States have enacted quite divergent and significant restrictions on privacy protections in the interest of national law enforcement and intelligence gathering.12

Myth: EU Data Subjects Had ‘No Administrative or Judicial Means of Redress' or Any Possibility for an Individual to Pursue Legal Remedies.' 13

Fact is that individual plaintiffs have means of redress and legal remedies under U.S. privacy laws, perhaps even more effective than in the EEA, as evidenced by the many individual privacy lawsuits brought in the U.S. and the relative few individual lawsuits in Europe. Under the Safe Harbor Program, the U.S. additionally made the powerful enforcement apparatus of the Federal Trade Commission specifically available to EEA-based data subjects to enforce the Privacy Safe Harbor Principles against U.S. companies acting on U.S. territory.

Europeans seem overly focused on the U.S. Privacy Act of 1974 and the Judicial Redress Act of 2015 recently passed by the House (203 Privacy Law Watch 203, 10/21/15)(14 PVLR 1929, 10/26/15), perhaps because these laws look more familiar to European data protection law specialists than other U.S. privacy laws. But, aside from these laws, there are other, well-established means of redress and remedies under U.S. privacy laws. The FTC does not have exclusive jurisdiction regarding the enforcement of the Privacy Safe Harbor Principles. It has brought actions against dozens of U.S. companies for violations of the Privacy Safe Harbor Principles based on Section 5 of the FTC Act, which declares unlawful “[u]nfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce.” Most U.S. states have enacted similar unfair competition laws that can be enforced by State Attorneys General and private plaintiffs if a U.S. company commits to adhere to the Privacy Safe Harbor Principles and fails to live up to its promises. Rights and remedies under unfair competition laws are neither expressly nor impliedly limited to U.S. residents and U.S. courts generally assume jurisdiction over U.S. companies regardless where plaintiffs may reside.

Fact is also that individual lawsuits against government surveillance are rare and difficult to bring successfully in the U.S. and Europe, given the many privileges around government secrecy particularly with respect to measures to protect national security.14

Myth: The European Court of Justice Enhanced Privacy Protection for EU Residents With Its Judgment.15

As a matter of fact, intelligence services in the U.S. and in Europe are not subject to the CJEU decision. For all we know, they have been gathering data just as much since Oct. 6 on both sides of the Atlantic and continue to cooperate closely with each other. It hardly matters where data is stored or transferred.

As a matter of politics, governments in the U.S. and in the EU Member States have been under pressure to reconsider the scope of their surveillance programs for years. It remains to be seen whether the CJEU judgment and the resulting re-nationalization of data protection law in the EEA will have a positive impact on this process.

If the U.S. Commerce Department discontinues the Safe Harbor Program, EU residents will lose the protection of the FTC that has been enforcing principles of EU data protection laws in the form of the Privacy Safe Harbor Principles. This would not enhance privacy protections.


See Hengesbaugh, IAPP Five Myths About Safe Harbor (2015) available at https://iapp.org/news/a/five-myths-about-safe-harbor ; Determann, Social Media Privacy–12 Myths and Facts, 2012 Stanford Technology Law Review 7 (2012); Determann, Data Privacy in the Cloud: A Dozen Myths and Facts, 28 The Computer & Internet Lawyer 11, 1 (November 2011); U.S. Mission to the EU statement on data privacy (2012)available at http://useu.usmission.gov/data_privacy.html [all websites cited in this article were accessed 2015-10-31].


High Court of Ireland, Schrems v Data Protection Commissioner, [2014] IEHC 310, 2013 765 JR, 18/06/2014 , #66, available athttp://www.bailii.org/ie/cases/IEHC/2014/H310.html.


Gilbert, Invalidation of the Safe Harbor: Will It Cause the Adoption of Data Silos? (211 Privacy Law Watch 211, 11/2/15)(14 PVLR 1958, 11/2/15).


Mark Scott, Data Transfer Pact Between U.S. and Europe Is Ruled Invalid, New York Times, Oct. 6, 2015.


Carly Nyst, At last, the data giants have been humbled, The Guardian, Oct. 7, 2015, available at http://www.theguardian.com/commentisfree/2015/oct/07/data-giants-internet-legal-facebook-google; Gilbert, supra.


See generally, Determann, California Privacy Law—Practical Guide and Commentary (2015), #1-5:4.


Leman Solicitors, Safe Harbour—are data transfers to the US now illegal?, http://www.lexology.com/library/detail.aspx?g=e0a0d4cd-7468-4521-967d-cd3ce8856125.


See, e.g., http://www.datenschutzzentrum.de (Schleswig Holstein) (201 Privacy Law Watch 201, 10/19/15)(14 PVLR 1898, 10/19/15); Gilbert, supra.


See Determann's Field Guide to International Privacy Law, 2nd Ed. (2015), Ch. 3; Determann, EU Standard Contractual Clauses for Transfers Of Personal Data to Processing Service Providers Reassessed, (10 PVLR 498, 3/28/11)(61 Privacy Law Watch, 3/30/11); Hengesbaugh/Mensik/Determann, Global Data Transfers and the European Directive—A Practical Analysis of the New ICC Contract Clauses, Bloomberg BNA Privacy & Security Law Report (4 PVLR 153) pp. 153-156 (4 PVLR 153, 2/7/05).


CJEU, Case C-362/14, Schrems v. Data Protection Commissioner, Oct. 6, 2015, #96.


Determann / zu Guttenberg, On War and Peace in Cyberspace: Security, Privacy, Jurisdiction, 41 Hastings Const. L.Q. (2014).


CJEU, Case C-362/14, Schrems v. Data Protection Commissioner, Oct. 6, 2015, #90, 95.


See, e.g., Jewel v. NSA, No. 08-CV-04373, (N.D. Cal. Sept. 18, 2008) (complaint filed) (7 PVLR 1391, 9/22/08); ACLU v. Clapper, 959 F. Supp. 2d 724 (S.D.N.Y. 2013) (249 Privacy Law Watch, 12/30/13)(13 PVLR 23, 1/6/14), Klayman v. Obama, 957 F. Supp. 2d 1 (D.D.C. 2013) (12 PVLR 2121, 12/23/13)(242 Privacy Law Watch, 12/17/13), and more generally, Determann/Michaud, U.S. Privacy Redress and Remedies for EU Data Subjects (forthcoming in Bloomberg BNA Privacy & Security Report).