“US Courts Aren’t Helping With EU Data Privacy Relations”
Law 360 11/30/15 By Andre Fiebig
The failure of U.S. courts to recognize that a violation by a company of the data privacy rights of individuals causes them injury increases the difficulty of achieving a practical solution to the current U.S.-EU data privacy dispute.
The EU Data Privacy Directive prohibits the transfer of personal data outside the EU, but gives the European Commission the right to designate nonmember countries which offer "an adequate level of protection" (Article 25). Earlier this year the European Court of Justice held that the protections which the U.S. had in place under the U.S.-EU safe harbor were inadequate (Case C-362/14, Schrems v. Data Protection Commissioner). According to the ECJ, “the term ‘adequate level of protection’ must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union.” The clear implication of the ECJ’s statement was that the U.S. lags behind the EU in protecting the privacy of personal data. The data protection authorities in the EU member states tend to share that opinion. Several data protection authorities in Germany have declared that they will no longer approach any transfer of personal data to the United States not only on the basis of the safe harbor, but also binding corporate rules or model contracts even though the Schrems case does not address these other means of transferring data.
There are basically two components to adequate protection: (1) the existence of laws protecting personal data; and (2) remedies for individuals whose personal data have been compromised. Between the common law and the myriad of state and federal data privacy laws which exist in the U.S., the U.S. can make a strong argument that the first component of achieving adequate protection is met. In order to address the second component, the U.S. and the EU entered into an agreement earlier this year to give European citizens the right to sue in the U.S. for violations of their data privacy rights. The extension of that right has also been discussed in the context of the current discussions between the EU and the U.S. to address the effects of Schrems v. Data Protection Commissioner.
However, the disposition of U.S. courts in data privacy cases is likely to undermine whatever mitigating effect that the promise of a U.S. remedy might have in the attempts to reach a deal between the U.S. and the EU. The recent decision of the Seventh Circuit in Silha v. ACT Inc. (Nov. 18, 2015) is yet another example of this. In that case, several students alleged that ACT, Inc. and the College Board illegally collected and sold their personal data. The students relied on several theories of relief, including unfair and deceptive business practices, breach of contract, invasion of privacy, and unjust enrichment. The district court had granted the defendants' motion to dismiss. On appeal, the Seventh Circuit assumed for purposes of the motion to dismiss that the plaintiffs indeed had a right of action under their theories of relief. However, the court refused to recognize that the violation of data privacy gave rise to an injury sufficient to give them standing: "Plaintiffs have not alleged that they lost anything of value as a result of the alleged misconduct."
Although the conclusion of the Seventh Circuit is consistent with the jurisprudence of the U.S. Supreme Court (Clapper v. Amnesty International, 133 S. Ct. 1138 (2013) and other Circuits (Krottner v. Starbucks Corporation, 628 F.3d 1139 (9th Cir. 2010)); Antman v. Uber Technologies Inc., 2015 WL 6123054 (N.D. Cal. Oct. 19, 2015), the trend in U.S. courts is significant because it is precisely this disposition to the protection of data privacy in the U.S. that causes concern on the other side of the Atlantic. Individuals in the U.S. have a difficult time securing relief for data privacy violations because they cannot show direct monetary loss. In contrast, the EU Data Privacy Directive specifically requires the member states to "provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him" (Article 22).
Unfortunately, this all comes at a time when businesses desperately need the U.S. and EU to reach a practical solution for companies to legally share personal data across the Atlantic. As indicated earlier, many European data protection authorities have an extremely negative opinion of U.S. data protection law and have used the Schrems case to impose burdens on companies doing business across the Atlantic which not even discussed in Schrems. Judicial pronouncements such as those of the Seventh Circuit in Silha v. ACT make the achievement of a resolution challenging because they give the impression that the U.S. legal system does not value data privacy. This case will not help restore confidence in Europe that the U.S. provides adequate protection of personal data and will make it even more difficult to reach a political resolution of the data privacy dispute which is practical for trans-Atlantic business.
The European Commission and the U.S. Department of Commerce are working on a solution to this state of uncertainty with the goal of reaching agreement by the end of January 2016. In the meantime, the commission has issued guidance on transferring data from the EU to the U.S. For example, the commission indicates that model contractual rules and binding corporate rules for transfer between affiliate companies might would work or even one of the derogations codified in the Data Privacy Directive. The shortcoming is, however, that the national data protection authorities do not see eye-to-eye with the commission on this point and are not bound by the commission’s guidance communication. For now, therefore, we are in a state of limbo for at least the next several months.