Is the New Post-Safe Harbor Data Privacy Law a Silver Bullet or a First Step?

Bryan Cunningham is an information security, privacy, and data protection lawyer, and a senior adviser of The Chertoff Group, a security and risk management advisory firm. Formerly, he was a U.S. civil servant, working for the CIA and the Justice Department and serving as deputy legal adviser to National Security Adviser Condoleezza Rice.

On Feb. 24, President Obama signed into law the Judicial Redress Act. This new law allows citizens of certain European countries to sue the United States for improper disclosure of personal information, including in the context of government and law enforcement activities, just as the current Privacy Act permits U.S. citizens to do. The European justice commissioner called this law "a historic achievement in our efforts to restore trust in transatlantic data flows." 

Whatever the legal merits of the JRA, this piece of legislation has taken on international economic and policy implications far beyond any actual rights it may provide. According to a primary sponsor of the JRA, Rep. Bob Goodlatte, its principal purpose is “to reestablish the United States’ credibility with the European Union following highly publicized leaks of classified information . . . in recent years.”

As a result of leaked disclosures in 2013 relating to U.S. government electronic surveillance activities, U.S.-EU relations with regard to cross-border data sharing of citizen information have been strained, leading to negative consequences for US business, European consumers, and governments on both sides of the Atlantic.  

This culminated in late 2015 when the European Court of Justice nullified the so-called Safe Harbor agreement between the United States and the European Union. Safe Harbor had enabled more than 4,000 US businesses to transfer EU personal data lawfully to the United States, enabling cross-Atlantic commerce.

The nullification of Safe Harbor, and worrisome statements by Europe’s data protection regulators, have left U.S. businesses in limbo, and at substantial legal risk, if they want to continue doing business in Europe. In fact, the Hamburg, Germany data protection authority recently announced it will fine three companies for continuing to rely on Safe Harbor for data transfers after the ECJ decision.

How does the Judicial Redress Act fit in? In striking down Safe Harbor, the ECJ found in it at least two fatal flaws:

First, it found privacy protections under Safe Harbor inadequate because they lacked an “independent oversight mechanism that is both effective and impartial” and that “effective remedies need to be available” for European citizens to seek judicial relief if they feel their privacy is violated by the U.S. government. The JRA is intended to provide Europeans with similar rights to seek relief, at least under one U.S. law, as Americans enjoy.

Second, the ECJ separately invalidated the Safe Harbor Agreement based on its conclusion that U.S. government intelligence surveillance and data collection activities were inconsistent with EU Privacy law.

In fact, the JRA is only one – though a vital – component of a package of reforms negotiated between the United States and the EU following the ECJ’s decision. To restore the lawful commercial transfer of Europeans’ data to the United States, EU political leaders reached an agreement with the U.S. called “privacy shield.”

The agreement, released publicly Feb. 29, is intended to replace Safe Harbor and, at least partially, satisfy the ECJ’s concerns. According to the U.S. Commerce Department, charged along with the Federal Trade Commission, with implementing “privacy shield,” the agreement provides stronger protections for U.S.-EU data transfers, including: enhancing cooperation between EU and U.S. data protection authorities; requiring arbitration by U.S. companies with EU individuals on privacy issues; and mandating new contractual protections for U.S company transfers of EU data to third parties.

The other key element of this overall deal is the so-called Umbrella Agreement between the U.S. and EU, regarding how law enforcement agencies on both sides of the Atlantic share data. The agreement intends to provide additional use limitations and protections for such information sharing. EU authorities have stated that this Umbrella Agreement would not be finalized until the JRA was signed.

But even the signing of this agreement won’t be the end of the story, because it is unclear whether European courts and, equally important, the Data Protection Authorities in each country, will determine that this combination of measures satisfies the privacy concerns that led the ECJ to invalidate Safe Harbor. Further complicating the issue is the fact that the actual language of the Umbrella Agreement has not been publicly released. 

While JRA is a solid first step, our Congress and the Obama administration cannot stop there. This large and complex set of issues will not be resolved without a number of other actions, by our government and in Europe.

Congress should move ahead with legislation modernizing the exchange of evidence in criminal cases, an issue addressed by the Law Enforcement Access to Data Stored Abroad Act, and continue to work toward bilateral agreements with additional European allies to mitigate the legal risk facing U.S. companies because of current incompatibility between U.S and European privacy and data access laws.

Whether the JRA leads directly and quickly to overall solutions to these key data transfer issues or is only a first step on a longer road, it is a positive development.