Category: EU

ECJ Rules EU-US Safe Harbor Programme Is Invalid

The powers of EU data protection authorities are significantly strengthened by the decision, allowing them to suspend some or all personal data flows into the United States in certain circumstances.

In Maximillian Schrems v. Data Protection Commissioner (case C-362/14), the European Court of Justice (ECJ) has ruled[1] that the European Commission decision approving the Safe Harbor programme is invalid. Further, the ECJ ruled that EU data protection authorities do have powers to investigate complaints about the transfer of personal data outside Europe (whether by Safe Harbor-certified organisations or otherwise, but excluding countries deemed as having “adequate” data protection laws according to the EU). Finally, the ECJ ruled that data protection authorities can, where justified, suspend data transfers outside Europe until their investigations are completed.

Safe Harbor Programme

According to the European Commission, the United States is a country with “inadequate” data protection laws. The European Commission and the US Department of Commerce, therefore, agreed in 2000 to a self-certification programme for US organisations that receive personal data from Europe. Pursuant to the self-certification programme, a US organisation receiving personal data from Europe must certify that it adhered to certain standards of data processing comparable with EU data protection laws such that the EU citizens’ personal data was treated as adequately as if their personal data had remained in Europe. The Safe Harbor programme is operated by the US Department of Commerce and enforced by the Federal Trade Commission. Over 4,000 organisations have current self-certifications of adherence to Safe Harbor principles.[2]

The Schrems Case

Mr. Schrems complained in Irish legal proceedings that the Irish Data Protection Commissioner refused to investigate his complaint that the Safe Harbor programme failed to protect adequately personal data after its transfer to the US in light of revelations about the National Security Agency’s (NSA’s) PRISM programme. The question of whether EU data protection authorities have the power to investigate complaints about the Safe Harbor programme was referred to the ECJ. Yves Bot, Advocate General at the ECJ, said in an opinion released on 23 September 2015 that the Safe Harbor programme  does not currently do enough to protect EU citizens’ personal data because such data was transferred to US authorities in the course of “mass and indiscriminate surveillance and interception of such data” from Safe Harbor-certified organisations. Mr. Bot was of the opinion that the Irish Data Protection Commissioner, therefore, had the power to investigate complaints about Safe Harbor-certified organisations and, if there were “exceptional circumstances in which the suspension of specific data flows should be justified”, to suspend the data transfers pending the outcome of its investigation.

The ECJ followed Mr. Bot’s opinion and, further, declared that the European Commission’s decision to approve the Safe Harbor programme in 2000 was “invalid” on the basis that US laws fail to protect personal data transferred to US state authorities pursuant to derogations of “national security, public law or law enforcement requirements”. Furthermore, EU citizens do not have adequate rights of redress when their personal data protection rights are breached by US authorities.

The EU-US Data Protection Umbrella Agreement

In the last two years, the European Commission and various data protection working parties have discussed ways to improve the Safe Harbor programme and strengthen rights for EU citizens in cases where their personal data is transferred to the United States. Recently, the United States and European Union finalised a data protection umbrella agreement to provide minimum privacy protections for personal data transferred between EU and US authorities for law enforcement purposes. The umbrella agreement will provide certain protections to ensure that personal data is protected when exchanged between police and criminal justice authorities of the United States and the European Union. The umbrella agreement, however, does not apply to personal data shared with national security agencies.

The umbrella agreement also provides that EU citizens will have the right to seek judicial redress before US courts where US authorities deny access or rectification or unlawfully disclose their personal data. Currently, US citizens have the right to seek judicial redress in the European Union if their data—transferred for law enforcement purposes—is misused by EU law enforcement authorities. EU citizens, however, do not have corresponding rights of redress in the United States. A judicial redress bill has been introduced in the US House of Representatives; adoption of the bill would allow the United States and European Union to finalise the umbrella agreement.

Key Findings of the ECJ Decision

The key findings of the ECJ decision are as follows (quotes indicate excerpts from the ruling itself):

“The guarantee of independence of national supervisory authorities is intended to ensure the effectiveness and reliability of the monitoring of compliance with the provisions concerning protection of individuals”.

The powers of supervisory authorities include “effective powers of intervention, such as that of imposing a temporary or definitive ban on processing of data, and the power to engage in legal proceedings”.

The Safe Harbor programme “cannot prevent persons whose personal data has been or could be transferred to a third country from lodging with the national supervisory authorities a claim. . .concerning the protection of their rights and freedoms”.

National courts can consider the validity of the Safe Harbor programme, but only the ECJ can declare that it is invalid.

Where the national data protection authorities find that complaints regarding the protection of personal data by Safe Harbor-certified companies are well-founded, they “must. . .be able to engage in legal proceedings”.

Organisations self-certified under the Safe Harbor programme are permitted to “disregard” the Safe Harbor principles to comply with US national security, public interest, or law enforcement requirements.

There is no provision in the Safe Harbor programme for protection for EU citizens against US authorities who gain access to their personal data transferred to the United States pursuant to the Safe Harbor programme. There is only a provision for commercial dispute resolution.

The EU Data Protection Directive[3] “requires derogations and limitations in relation to the protection of personal data to apply only in so far as is strictly necessary”, but there is no such requirement applicable in the United States following the transfer of personal data pursuant to the Safe Harbor programme.

The Safe Harbor programme “fails to comply with the requirements” to protect personal data to the “adequate” standard required by the EU Data Protection Directive and is “accordingly invalid”.

Other Options to Transfer Personal Data to the United States

Safe Harbor-certified organisations should note that there are other options to transfer personal data to the United States, including express consent and the use of Binding Corporate Rules or EU-approved model clause agreements. Organisations using Safe Harbor-certified vendors may wish to discuss these other options with their vendors. There is, however, a risk that this decision could affect these other options, as national security derogations are likely to override the protection of personal data regardless of how it is transferred, with the only exception being the specific and informed consent of an individual to the transfer of his or her personal data to governmental authorities for national security purposes.

Conclusion

The ECJ decision is likely to take the European Commission by surprise.

The powers of national data protection authorities are significantly strengthened by this decision. They could allow data protection authorities to suspend some or all personal data flows into the United States in serious circumstances and where there is a justifiable reason to do so. There is a risk that a data protection authority could order that the data transfers by an international organisation outside of Europe be suspended from that jurisdiction, whereas data transfers in other European jurisdictions are permitted. To mitigate this risk, the European Commission is entitled to issue EU-wide “adequacy decisions” for consistency purposes.

The European Commission has today announced that it intends to release guidance for Safe Harbor-certified companies within the next two weeks.

Article By Stephanie A. “Tess” BlairDr. Axel Spies & Pulina Whitaker of Morgan, Lewis & Bockius LLP
Copyright © 2015 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

[1] See Judgment of the Court (Grand Chamber) (6 October 2015)

[2] See Safe Harbor List.

[3] Directive 95/46/EC

FIVE MINUTES ON… Anti-Bribery and Corruption Laws in Europe

Anti-bribery and corruption has been a hot topic in the US for almost 40 years. The topic has historically however received much less attention within Europe. That is now changing as Europe is beginning to catch up and many European countries have already implemented anti-bribery laws much stricter than those in the US. Recent events have put the topic back on the agenda and we can expect further debate on the effectiveness and efficacy of enforcement in Europe.

The levels of perceived corruption within Europe are generally quite good. Transparency International publish an annual Corruptions Perceptions Index which shows the perceived levels of corruption in 175 countries globally. In its 2014 report, the average score across the EU and Western Europe was 66 (with 0 being highly corrupt and 100 being very clean), much better than the global average of 43. Even those countries with the lowest scores in the EU and Western Europe, being Greece, Romania and Italy, had a score of 43, consistent with the global average. Seven of the top 10 least corrupt countries are actually in Europe (Denmark, Finland, Sweden, Norway, Switzerland, Netherlands and Luxembourg).

Over the last five or so years, countries within Europe have been overhauling their existing, in many cases insufficient, anti-bribery regimes and some countries have implemented anti-bribery laws for the first time. We consider some of the specific regimes below along with their differences and similarities. The majority, if not all, are actually stricter than the laws in the US. The differences of the laws in Europe to the laws in the US have been somewhat of a surprise to many organisations who currently comply with the laws in the US and who don’t necessarily realise that they now need to enhance their practices to comply with more stringent regimes.

What’s Been Happening Across the Pond?

In the US, the Foreign Corrupt Practice Act (FCPA) came into force on 19 December 1977. The FCPA criminalises the paying or offering of a bribe to a foreign official, although the public official themselves do not commit an offence by receiving the bribe. The FCPA requires organisations to have accounting and other controls in place to prevent and detect bribery, but does not specifically require broader anti-bribery programmes. As well as US organisations, the FCPA has extraterritorial reach and catches any other organisation that uses any means of US commerce, including mails, emails, faxes, bank transactions, and similar acts.

Top of the Class: the Uk

Much of the change in approach within Europe and indeed further afield has arguably been led by the introduction in the UK of the Bribery Act 2010 (Bribery Act), which came into force on 1 July 2011, and which is thought to be the strictest anti-bribery legislation in the world.

Similarities between the FCPA and the Bribery Act Differences between the FCPA and the Bribery Act

Territorial Reach

The Bribery Act has a wide territorial reach. It extends not only to offences committed in the UK but also to offences committed outside the UK where the person committing them has a close connection with the UK by virtue of them being a British national or ordinarily resident in the UK, a body incorporated in the UK or a Scottish partnership. For corporations, the corporate offence in the Bribery Act extends to UK as well as non-UK organisations that carry on business or part of a business in the UK. So, for example, a Spanish company that exports to the UK can be in breach of the corporate offence for bribery occurring in Spain, even though that bribery does not involve any UK connected person.

Penalties

The penalties available for breaches of the Bribery Act are severe. They include an unlimited fine, up to 10 years in prison, and orders for directors to be disqualified. Companies can also be prohibited from public procurement and the proceeds from the bribe, for example the monies gained from a contract obtained through corruption, can be confiscated. Penalties under FCPA are slightly less severe with fines being capped to US$2 million (for corporations) and imprisonment for individuals being limited to a maximum of five years.

All Bribes Are Caught, Even Business-to-Business!

Arguably the single most important difference between the Bribery Act and the FCPA is that the Bribery Act prohibits the offering or receiving of a bribe and the bribery of Foreign Public Officials. Unlike the FCPA, the Bribery Act therefore captures private (business to business) bribery and also makes it an offence to receive a bribe as well as pay/offer to pay one. Directors and senior managers can also be found guilty of an offence if their organisation commits one of these offences with their consent or connivance.

Facilitation Payments

Facilitation Payments are payments made to expedite or secure the performance of a “routine government action”. The FCPA expressly authorises such payments. In the UK, such payments are prohibited under the Bribery Act.

The Corporate Defence

The Bribery Act also introduces a corporate offence of failing to prevent a bribe being paid, for which it will be a defence for an organisation to show that it has “adequate procedures” in place to prevent such bribery. Guidance produced by the UK Ministry of Justice explains that these “adequate procedures” need to be guided by six principles: Top-level commitment; Risk assessment; Proportionate procedures; Due diligence; Communication (including training) and Monitoring and review. As stated above, FCPA only requires accounting and other controls to prevent and detect bribery, nothing broader.

Other EU Member States

Most EU Member States have enacted anti-bribery laws with heavy fines. When compared to the Bribery Act, however, such laws are generally more limited in scope and tend to focus on bribery of public officials. Most are however at least consistent with FCPA.

In France, most of the French anti-corruption provisions relevant to businesses are laid down in the French Criminal Code and relate to both the public and private sector and both the offeror and the recipient. Like the UK, the law in France also has an extraterritorial reach and will interestingly apply amongst other situations, where the victim of the bribe is a French national. Penalties for breach of French laws include imprisonment for, in some cases, up to 15 years and financial penalties including, for companies, fines of, in some cases, up to €5 million or twice the amount of the proceeds stemming from the offence. Unlike the UK, there are in France, however, no legal requirements for implementing preventive procedures.

Germany’s anti-bribery laws are contained in the Criminal Code, which prohibits offering, paying or accepting a bribe in domestic or foreign transactions. Separately, civil liability can, if certain criteria are met, attach to companies for offences committed on their behalf due to the Administrative Offences Act. Owners/managers can also be found liable in certain situations. Penalties include five years’ imprisonment (10 years’ imprisonment in severe cases involving a member/official of a public body), a criminal fine and confiscation of monies obtained from the bribe. The Criminal Code also applies to offences committed abroad. One of the key cases to be enforced in Germany was that against Siemens AG, who paid German authorities almost €600 million in fines after they were investigated for paying bribes to secure public-works contracts in a number of countries. This was in addition to fines paid in the US for breaching FCPA.

In the Netherlands, anti-corruption and bribery laws are predominantly aimed at attempts to bribe public officials. Unlike the UK, Dutch law has relatively limited jurisdictional reach. For example, a foreign non-Dutch company that has committed acts of bribery of a non-Dutch foreign official outside the Netherlands is not subject to the criminal laws of the Netherlands. The maximum penalty under Dutch law is a fine of €740,000 for each case of bribery and for individuals, imprisonment for four years (one year for private commercial bribery) and a fine of up to €74,000.

Outlook

While most Member States have clearly improved their anti-bribery regimes in recent years, what seems to be the biggest hurdle is insufficient enforcement and the considerable differences in the enforcement levels across Europe, in particular when it comes to bribery abroad. Relying on the UK (or the US) will soon stretch the already limited resources that individual countries can bring to bear. It seems that the European Union itself will take action in the foreseeable future. Certainly there would be jurisdictional concerns as regards the criminal aspects for individuals, but the Commission’s war on cartels has shown that it is well-suited to enforcing policy. Currently, however, the Commission contends itself with issues in a biannual report on corruption in each Member State.

Given the extra-territorial reach discussed above, European businesses need to make sure that they are compliant with all the different antibribery laws that could affect their business. This is not only the laws in their own countries, but also the laws abroad. Many organisations acting internationally and globally are seeking compliance with the Bribery Act as compliance with the Bribery Act should be sufficient to also achieve compliance with any other anti-bribery legislation.

ARTICLE BY Rob ElvinLouise Roberts & Tim Wünnemann of Squire Patton Boggs (US) LLP

© Copyright 2015 Squire Patton Boggs (US) LLP