Cybersecurity turned out not to be, after all, the privacy issue of the year. Rather, the decision of Court of Justice of the European Union (CJEU) to invalidate the US-EU Safe Harbor Framework was the blockbuster development of 2015.
On October 6, the CJEU struck down the Safe Harbor as an approved mechanism for the transfer of personal data from the EU to the United States. The Court found that the European Commission had not properly assessed the ‘adequacy” of the U.S. legal regime for data protection in 2000, neither when the Safe Harbor was first agreed, nor subsequently.
The basis for the Court’s concerns stemmed from allegations that the U.S. engaged in “indiscriminate” surveillance for national security reasons, and that such surveillance might mean that data protection for information transferred there might not be “essentially equivalent” to protection in the EU.
“Equivalence,” then, is the challenge of global privacy law today. Data localization mandates imposed in Russia, in particular, but also surfacing as a possibility in other jurisdictions, like Brazil, is threatening international data flows and impeding digital trade.
Indeed, the EU’s stringent restrictions against data transfers to the United States are themselves a significant manifestation of data localization. With luck and good will, a new U.S.-EU Safe Harbor 2.0 will be negotiated and put in place quickly, and other mechanisms to authorize international data transfers – such as Model Contracts and Binding Corporate Rules – will remain available.
Moreover, perhaps the EU will even acknowledge that U.S. checks and balances on government surveillance, and the privacy protections enforced by the Federal Trade Commission (FTC), Federal Communications Commission, 50 plus State Attorneys General, and numerous other federal and state agencies are least substantially equivalent to those of the EU – especially with regard to government surveillance!