European Court of Justice endangers transatlantic data flow


On October 6th, 2015 the European Court of Justice (ECJ) decided to invalidate the Safe Harbor Agreement between the United States and the European Union: The reason is the insufficient protection of EU citizen’s data in the United States. In reaction to the ruling the U.S. Congress held two hearings on November 3rd, 2015.


The U.S. Congress sees urgency in developing a unified response to the recent, unexpected Safe Harbor ruling by the ECJ. Two subcommittees of the Energy and Commerce Committee invited the following experts: Victoria Espinel, President and CEO of BSA The Software Alliance; John Murphy, Senior Vice President for International Policy at the U.S. Chamber of Commerce; Marc Rotenberg, President of the Electronic Privacy the Information Center; and Dr. Joshua P. Meltzer, Adjunct Professor at the John Hopkins University School for Advanced International Studies. At the hearing before the Subcommittee on Courts, Intellectual Property and the Internet Robert D. Atkinson, Founder and President of the Information Technology and Innovation Foundation; Peter Allgeier, President of the Coalition of Services Industries; Ed Black, President and CEO at the Computer & Communications Industry Association; and Mark MacCarthy, Senior Vice President at the Public Policy Software & Information Industry Association took part. Victoria Espinel testified at both hearings.

The underlying theme of the hearings were the necessary steps to ensure the unhindered flow of transatlantic data. The reaction in the U.S. has been critical by describing the ruling as economically damaging and calling it digital protectionism.

By declaring the Safe Harbor Agreement invalid, the ECJ suspended transatlantic data flow operating since the year 2000. More than 4000 companies operated under the agreement until the decision by the ECJ. According to Ed Black, 60% of the affected companies were small and medium enterprises. Hence most of the companies are now unsure about whether their business practices are still legal - especially in the light of a 90 day memorandum given by the ECJ.

This uncertainty is further increased by the fact that the ruling of the ECJ did not address other international data flow mechanisms such as Model Contract Clauses or Binding Corporate Rules. Companies now intend to operate under these mechanisms without being sure about their legal standing. Furthermore according to John Murphy’s testimony those mechanisms are additionally burdensome for businesses because of the expense and the time consuming implementation. Murphy estimates that the implementation of binding corporate rules between two companies costs around one million dollars and takes up to 18 months to be finalized. Many small and medium enterprises (SME) are unable to afford those conditions.

In terms of long term consequences all experts seem to agree upon a few points which they consider harmful for their business.

Firstly, they urge U.S. and E.U. lawmakers to come to a solution as quickly as possible, especially since the current situation may harm both sides. Secondly, the impact on SMEs would be especially strong and could, therefore, also concern larger companies as they tend to rely on products and services from SMEs. Third, the ruling by the ECJ may set a precedent for similar agreements that the United States has negotiated with other nations. Israel and Switzerland, for instance, are currently revising their data agreements with the United States. Fourthly, experts like Robert D. Atkinson fear the rise of a new form of protectionism. He argues that the EU seeks to protect European companies from their American competitors, who he considers to be more advanced in the field of digital economy. According to his statement the E.U. seeks to create a “Schengen Area” for data which would prevent third countries from taking part in the market. The idea of a “Single Digital Market” in the E.U. would only be the first step in this direction.

At the two hearings a number of testimonies included solutions on how to make necessary adjustments to the Safe Harbor Agreement by addressing not only the concerns made by the ECJ, but also general objections.

First, a new agreement is needed. Such a new agreement should be made between the federal governments of the United States and the European Union. It should neither be subject of legislation of individual E.U. member countries nor of the 50 U.S. states. This would allow businesses to be reassured and to plan on a long term basis without having to fear short time changes to the agreement. Further the new agreement should address the E.U.’s concerns about protection of European data in third countries and at the same time guarantee that foreign companies do not suffer from disadvantages. In order to achieve this goal Atkinson proposes the creation of a Geneva style convention on the Status of Data.

Second, many are calling for better communication with the E.U. and its citizens, especially with regard to data protection in the United States. This issue is addressed by the Judicial Redress Act, which was unanimously passed by the U.S. House of Representatives and is awaiting approval by the U.S. Senate. Once enacted it will be the prerequisite for the completion of negotiations of the Umbrella Agreement. Victoria Espinel criticized the U.S. Congress in her statement for failing to communicate actions being taken to address foreign privacy concerns. In fact, she considers the Judicial Redress Act and the Umbrella Agreement important in regaining trust from Europeans.

Third, the witnesses asserted that the United States has the opportunity to include clauses in currently negotiated free trade agreements, such as TTIP and TiSA. According to Allgeier such clauses are especially important in preventing localization of data. Localization would prevent any sort of transatlantic common cloud and could be harmful for global competitiveness. Thus, he asserts that by adding necessary measures to the TTIP and TiSA negotiations, it would reduce the lack of international rules for digital trade.

In conclusion, the testimonies shared common aspects in the need to find a timely solution on transatlantic data transfers. There seems to be consensus that any new agreement ought to be negotiated with the European Commission and not with the individual member states. Furthermore, there was a sense of urgency for the U.S. government to better communicate progress being made – i.e. Judicial Redress Act or the Umbrella Agreement; – in direct response to the concerns voiced by E.U. citizens who fear their personal data would not be sufficiently protected in the United States. In the long-run, some of the witnesses voiced the need for a stronger international digital data framework. The question, however, remains how quick such a new framework can be created and implemented, especially in light of the quickly changing nature of digital business, public opinions on privacy issues and government surveillance.

By: Lukas Fulde

Edited by: Dr. Lars Hänsel