Archives For CJEU

European Commission Tentatively Finds US Commitments ‘Adequate’: What It Means for Transatlantic Data Flows

Mikolaj Barczentewicz —  13 December 2022

Under a draft “adequacy” decision unveiled today by the European Commission, data-privacy and security commitments made by the United States in an October executive order signed by President Joe Biden were found to comport with the EU’s General Data Protection Regulation (GDPR). If adopted, the decision would provide a legal basis for flows of personal data between the EU and the United States.

This is a welcome development, as some national data-protection authorities in the EU have begun to issue serious threats to stop U.S.-owned data-related service providers from offering services to Europeans. Pending more detailed analysis, I offer some preliminary thoughts here.

Decision Responds to the New U.S. Data-Privacy Framework

The Commission’s decision follows the changes to U.S. policy introduced by Biden’s Oct. 7 executive order. In its July 2020 Schrems II judgment, the EU Court of Justice (CJEU) invalidated the prior adequacy decision on grounds that EU citizens lacked sufficient redress under U.S. law and that U.S. law was not equivalent to “the minimum safeguards” of personal data protection under EU law. The new executive order introduced redress mechanisms that include creating a civil-liberties-protection officer in the Office of the Director of National Intelligence (DNI), as well as a new Data Protection Review Court (DPRC). The DPRC is proposed as an independent review body that will make decisions that are binding on U.S. intelligence agencies.

The old framework had sparked concerns about the independence of the DNI’s ombudsperson, and what was seen as insufficient safeguards against external pressures that individual could face, including the threat of removal. Under the new framework, the independence and binding powers of the DPRC are grounded in regulations issued by the U.S. Attorney General.

To address concerns about the necessity and proportionality of U.S. signals-intelligence activities, the executive order also defines the “legitimate objectives” in pursuit of which such activities can be conducted. These activities would, according to the order, be conducted with the goal of “achieving a proper balance between the importance of the validated intelligence priority being advanced and the impact on the privacy and civil liberties of all persons, regardless of their nationality or wherever they might reside.”

Will the Draft Decision Satisfy the CJEU?

With this draft decision, the European Commission announced it has favorably assessed the executive order’s changes to the U.S. data-protection framework, which apply to foreigners from friendly jurisdictions (presumed to include the EU). If the Commission formally adopts an adequacy decision, however, the decision is certain to be challenged before the CJEU by privacy advocates. In my preliminary analysis after Biden signed the executive order, I summarized some of the concerns raised regarding two aspects relevant to the finding of adequacy: proportionality of data collection and availability of effective redress.

Opponents of granting an adequacy decision tend to rely on an assumption that a finding of adequacy requires virtually identical substantive and procedural privacy safeguards as required within the EU. As noted by the European Commission in the draft decision, this position is not well-supported by CJEU case law, which clearly recognizes that only “adequate level” and “essential equivalence” of protection are required from third-party countries under the GDPR.

To date, the CJEU has not had to specify in greater detail precisely what, in their view, these provisions mean. Instead, the Court has been able simply to point to certain features of U.S. law and practice that were significantly below the GDPR standard (e.g., that the official responsible for providing individual redress was not guaranteed to be independent from political pressure). Future legal challenges to a new Commission adequacy decision will most likely require the CJEU to provide more guidance on what “adequate” and “essentially equivalent” mean.

In the draft decision, the Commission carefully considered the features of U.S. law and practice that the Court previously found inadequate under the GDPR. Nearly half of the explanatory part of the decision is devoted to “access and use of personal data transferred from the [EU] by public authorities in the” United States, with the analysis grounded in CJEU’s Schrems II decision. The Commission concludes that, collectively, all U.S. redress mechanisms available to EU persons:

…allow individuals to have access to their personal data, to have the lawfulness of government access to their data reviewed and, if a violation is found, to have such violation remedied, including through the rectification or erasure of their personal data.

The Commission accepts that individuals have access to their personal data processed by U.S. public authorities, but clarifies that this access may be legitimately limited—e.g., by national-security considerations. Unlike some of the critics of the new executive order, the Commission does not take the simplistic view that access to personal data must be guaranteed by the same procedure that provides binding redress, including the Data Protection Review Court. Instead, the Commission accepts that other avenues, like requests under the Freedom of Information Act, may perform that function.

Overall, the Commission presents a sophisticated, yet uncynical, picture of U.S. law and practice. The lack of cynicism, e.g., about the independence of the DPRC adjudicative process, will undoubtedly be seen by some as naïve and unrealistic, even if the “realism” in this case is based on speculations of what might happen (e.g., secret changes to U.S. policy), rather than evidence. Given the changes adopted by the U.S. government, the key question for the CJEU will be whether to follow the Commission’s approach or that of the activists.

What Happens Next?

The draft adequacy decision will now be scrutinized by EU and national officials. It remains to be seen what will be the collective recommendation of the European Data Protection Board and of the representatives of EU national governments, but there are signs that some domestic data-protection authorities recognize that a finding of adequacy may be appropriate (see, e.g., the opinion from the Hamburg authority).

It is also likely that a significant portion of the European Parliament will be highly critical of the decision, even to the extent of recommending not to adopt it. Importantly, however, none of the consulted bodies have formal power to bind the European Commission on this question. The whole process is expected to take at least several months.

In Data Privacy & Security, European Union, International, Platforms, Truth on the Market , , , , ,
permalink

US-EU Agreement Hopes to Keep Transatlantic Data Flowing

Kristian Stout —  29 March 2022

Though details remain scant (and thus, any final judgment would be premature),  initial word on the new Trans-Atlantic Data Privacy Framework agreed to, in principle, by the White House and the European Commission suggests that it could be a workable successor to the Privacy Shield agreement that was invalidated by the Court of Justice of the European Union (CJEU) in 2020.

This new framework agreement marks the third attempt to create a lasting and stable legal regime to permit the transfer of EU citizens’ data to the United States. In the wake of the 2013 revelations by former National Security Agency contractor Edward Snowden about the extent of the United States’ surveillance of foreign nationals, the CJEU struck down (in its 2015 Schrems decision) the then-extant “safe harbor” agreement that had permitted transatlantic data flows. 

In the 2020 Schrems II decision (both cases were brought by Austrian privacy activist Max Schrems), the CJEU similarly invalidated the Privacy Shield, which had served as the safe harbor’s successor agreement. In Schrems II, the court found that U.S. foreign surveillance laws were not strictly proportional to the intelligence community’s needs and that those laws also did not give EU citizens adequate judicial redress.  

This new “Privacy Shield 2.0” agreement, announced during President Joe Biden’s recent trip to Brussels, is intended to address the issues raised in the Schrems II decision. In relevant part, the joint statement from the White House and European Commission asserts that the new framework will: “[s]trengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities; Establish a new redress mechanism with independent and binding authority; and Enhance its existing rigorous and layered oversight of signals intelligence activities.”

In short, the parties believe that the new framework will ensure that U.S. intelligence gathering is proportional and that there is an effective forum for EU citizens caught up in U.S. intelligence-gathering to vindicate their rights.

As I and my co-authors (my International Center for Law & Economics colleague Mikołaj Barczentewicz and Michael Mandel of the Progressive Policy Institute) detailed in an issue brief last fall, the stakes are huge. While the issue is often framed in terms of social-media use, transatlantic data transfers are implicated in an incredibly large swath of cross-border trade:

According to one estimate, transatlantic trade generates upward of $5.6 trillion in annual commercial sales, of which at least $333 billion is related to digitally enabled services. Some estimates suggest that moderate increases in data-localization requirements would result in a €116 billion reduction in exports from the EU.

The agreement will be implemented on this side of the Atlantic by a forthcoming executive order from the White House, at which point it will be up to EU courts to determine whether the agreement adequately restricts U.S. intelligence activities and protects EU citizens’ rights. For now, however, it appears at a minimum that the White House took the CJEU’s concerns seriously and made the right kind of concessions to reach agreement.

And now, once the framework is finalized, we just have to sit tight and wait for Mr. Schrems’ next case.

In Data Privacy & Security, European Union, International, Truth on the Market , , , , ,
permalink

Irish Decision Will Raise Stakes to Resolve Transatlantic Data Trade

Kristian Stout —  9 April 2021

We can expect a decision very soon from the High Court of Ireland on last summer’s Irish Data Protection Commission (“IDPC”) decision that placed serious impediments in the transfer data across the Atlantic. That decision, coupled with the July 2020 Court of Justice of the European Union (“CJEU”) decision to invalidate the Privacy Shield agreement between the European Union and the United States, has placed the future of transatlantic trade in jeopardy.

In 2015, the EU Schrems decision invalidated the previously longstanding “safe harbor” agreement between the EU and U.S. to ensure data transfers between the two zones complied with EU privacy requirements. The CJEU later invalidated the Privacy Shield agreement that was created in response to Schrems. In its decision, the court reasoned that U.S. foreign intelligence laws like FISA Section 702 and Executive Order 12333—which give the U.S. government broad latitude to surveil data and offer foreign persons few rights to challenge such surveillance—rendered U.S. firms unable to guarantee the privacy protections of EU citizens’ data.

The IDPC’s decision employed the same logic: if U.S. surveillance laws give the government unreviewable power to spy on foreign citizens’ data, then standard contractual clauses—an alternative mechanism for firms for transferring data—are incapable of satisfying the requirements of EU law.

The implications that flow from this are troubling, to say the least. In the worst case, laws like the CLOUD Act could leave a wide swath of U.S. firms practically incapable doing business in the EU. In the slightly less bad case, firms could be forced to completely localize their data and disrupt the economies of scale that flow from being able to process global data in a unified manner. In any case, the costs for compliance will be massive.

But even if the Irish court upholds the IDPC’s decision, there could still be a path forward for the U.S. and EU to preserve transatlantic digital trade. EU Commissioner for Justice Didier Reynders and U.S. Commerce Secretary Gina Raimondo recently issued a joint statement asserting they are “intensifying” negotiations to develop an enhanced successor to the EU-US Privacy Shield agreement. One can hope the talks are both fast and intense.

It seems unlikely that the Irish High Court would simply overturn the IDPC’s ruling. Instead, the IDCP’s decision will likely be upheld, possibly with recommended modifications. But even in that case, there is a process that buys the U.S. and EU a bit more time before any transatlantic trade involving consumer data grinds to a halt.

After considering replies to its draft decision, the IDPC would issue final recommendations on the extent of the data-transfer suspensions it deems necessary. It would then need to harmonize its recommendations with the other EU data-protection authorities. Theoretically, that could occur in a matter of days, but practically speaking, it would more likely occur over weeks or months. Assuming we get a decision from the Irish High Court before the end of April, it puts the likely deadline for suspension of transatlantic data transfers somewhere between June and September.

That’s not great, but it is not an impossible hurdle to overcome and there are temporary fixes the Biden administration could put in place. Two major concerns need to be addressed.

  1. U.S. data collection on EU citizens needs to be proportional to the necessities of intelligence gathering. Currently, the U.S. intelligence agencies have wide latitude to collect a large amount of data.
  2. The ombudsperson the Privacy Shield agreement created to be responsible for administering foreign citizen data requests was not sufficiently insulated from the political process, creating the need for adequate redress by EU citizens.

As Alex Joel recently noted, the Biden administration has ample powers to effect many of these changes through executive action. After all, EO 12333 was itself a creation of the executive branch. Other changes necessary to shape foreign surveillance to be in accord with EU requirements could likewise arise from the executive branch.

Nonetheless, Congress should not take that as a cue for complacency. It is possible that even if the Biden administration acts, the CJEU could find some or all of the measures insufficient. As the Biden team works to put changes in place through executive order, Congress should pursue surveillance reform through legislation.

Theoretically, the above fixes should be possible; there is not much partisan rancor about transatlantic trade as a general matter. But time is short, and this should be a top priority on policymakers’ radars.

(note: edited to clarify that the Irish High Court is not reviewing SCC’s directly and that the CLOUD Act would not impose legal barriers for firms, but practical ones).

In Data Privacy & Security, European Union, International, International Trade, Truth on the Market , , , , , ,
permalink

Geo-Blocking: What is it Good For… A Surprising Amount, Actually.

Dirk Auer & Kristian Stout —  11 December 2020

The European Court of Justice issued its long-awaited ruling Dec. 9 in the Groupe Canal+ case. The case centered on licensing agreements in which Paramount Pictures granted absolute territorial exclusivity to several European broadcasters, including Canal+.

Back in 2015, the European Commission charged six U.S. film studios, including Paramount,  as well as British broadcaster Sky UK Ltd., with illegally limiting access to content. The crux of the EC’s complaint was that the contractual agreements to limit cross-border competition for content distribution ran afoul of European Union competition law. Paramount ultimately settled its case with the commission and agreed to remove the problematic clauses from its contracts. This affected third parties like Canal+, who lost valuable contractual protections. 

While the ECJ ultimately upheld the agreements on what amounts to procedural grounds (Canal+ was unduly affected by a decision to which it was not a party), the case provides yet another example of the European Commission’s misguided stance on absolute territorial licensing, sometimes referred to as “geo-blocking.”

The EC’s long-running efforts to restrict geo-blocking emerge from its attempts to harmonize trade across the EU. Notably, in its Digital Single Market initiative, the Commission envisioned

[A] Digital Single Market is one in which the free movement of goods, persons, services and capital is ensured and where individuals and businesses can s​eamlessly access and exercise online activities under conditions of f​air competition,​ and a high level of consumer and personal data protection, irrespective of their nationality or place of residence.

This policy stance has been endorsed consistently by the European Court of Justice. In the 2011 Murphy decision, for example, the court held that agreements between rights holders and broadcasters infringe European competition when they categorically prevent the latter from supplying “decoding devices” to consumers located in other member states. More precisely, while rights holders can license their content on a territorial basis, they cannot restrict so-called “passive sales”; broadcasters can be prevented from actively chasing consumers in other member states, but not from serving them altogether. If this sounds Kafkaesque, it’s because it is.

The problem with the ECJ’s vision is that it elides the complex factors that underlie a healthy free-trade zone. Geo-blocking frequently is misunderstood or derided by consumers as an unwarranted restriction on their consumption preferences. It doesn’t feel “fair” or “seamless” when a rights holder can decide who can access their content and on what terms. But that doesn’t mean geo-blocking is a nefarious or socially harmful practice. Quite the contrary: allowing creators to create different sets of distribution options offers both a return to the creators as well as more choice in general to consumers. 

In economic terms, geo-blocking allows rights holders to engage in third-degree price discrimination; that is, they have the ability to charge different prices for different sets of consumers. This type of pricing will increase total welfare so long as it increases output. As Hal Varian puts it:

If a new market is opened up because of price discrimination—a market that was not previously being served under the ordinary monopoly—then we will typically have a Pareto improving welfare enhancement.

Another benefit of third-degree price discrimination is that, by shifting some economic surplus from consumers to firms, it can stimulate investment in much the same way copyright and patents do. Put simply, the prospect of greater economic rents increases the maximum investment firms will be willing to make in content creation and distribution.

For these reasons, respecting parties’ freedom to license content as they see fit is likely to produce much more efficient outcomes than annulling those agreements through government-imposed “seamless access” and “fair competition” rules. Part of the value of copyright law is in creating space to contract by protecting creators’ property rights. Without geo-blocking, the enforcement of licensing agreements would become much more difficult. Laws restricting copyright owners’ ability to contract freely reduce allocational efficiency, as well as the incentives to create in the first place. Further, when individual creators have commercial and creative autonomy, they gain a degree of predictability that can ensure they will continue to produce content in the future. 

The European Union would do well to adopt a more nuanced understanding of the contractual relationships between producers and distributors. 

In Antitrust & Competition, Copyright, European Union, Google, Intellectual Property, International, Patent, Platforms, Price Discrimination, Truth on the Market , , , , , ,
permalink

UK COURT OF APPEAL UPHOLDS FRAND INJUNCTION

Natasha Nayak —  30 October 2018

Last week, the UK Court of Appeal upheld the findings of the High Court in an important case regarding standard essential patents (SEPs). Of particular significance, the Court of Appeal upheld the finding that the defendant, an implementer of SEPs, could have the sale of its products enjoined in the UK unless it enters into a global licensing deal on terms deemed by the court to be fair, reasonable and non-discriminatory (FRAND). The case is noteworthy not least because the threat of an injunction of this sort has become increasingly rare in other jurisdictions, arguably resulting in an imbalance in bargaining power between patent holders and implementers.

The case concerned patents held by Unwired Planet (most of which had been purchased from Ericsson) that it had declared to be essential to the operation of various telecommunications standards. Chinese telecom giant Huawei had incorporated these patented technologies in its products but disputed the legitimacy of Unwired Planet’s (UP) patents and refused to license them on the terms that were offered.

By way of a background to the case, in March 2014, UP resorted to suing Huawei, Samsung and Google and claiming an injunction when it found it hard to secure licenses. After the commencement of proceedings, UP made licence offers to the defendants. It made offers in April and July 2014 respectively and during the proceedings, including a worldwide SEP portfolio licence, a UK SEP portfolio licence and per-patent licences for any of the SEPs in suit. The defendants argued that the offers were not FRAND. Huawei and Samsung also contended that the offers were in breach of European competition law. UP  settled with Google. Three technical trials of the patents began and UP was able to show that at least two of the patents sued upon were valid and essential and had been infringed. Subsequently, Samsung secured a settlement (at a rate below the market rate) and the FRAND trial went ahead with just Huawei.

Judge Birss delivered the High Court order on April 5, 2017. He held that UP’s patents were valid and infringed and it did not abuse its dominant position by requesting an injunction. He ordered a FRAND injunction that was stayed pending appeal against the two patents that had been infringed. The injunction was subject to a number of conditions which are applied because the case was dealing with patents subject to a FRAND undertaking. It will cease to have effect if Huawei enters into the FRAND license determined by the Court. He also observed that the parties can return for further determination when such license expires. Furthermore, it was held that there was one set of FRAND terms and that the scope of this FRAND was world wide.

The UK Court of Appeal (the bench consisting of Lord Justice Kitchin, Lord Justice Floyd, Lady Justice Asplin) in handing down a 291 paragraph, 66 page judgment dealing with Huawei’s appeal, upheld Birss’ findings. The centrality of Huawei’s appeal focused on the global nature of the FRAND license and the non-discrimination undertaking of UP’s FRAND commitments. Some significant findings of the Court of Appeal are briefly provided below.

The Court of Appeal in upholding Birss’ decision noted that it was unfair to say that UP is using the threat of an injunction to leverage Huawei into taking a global license, and that Huawei had the option to take the global license or submit to an injunction in the UK. Drawing attention to the potential complexities in a FRAND negotiation, the Court observed:

..The owner of a SEP may still use the threat of an injunction to try to secure the payment of excessive licence fees and so engage in hold-up activities. Conversely, the infringer may refuse to engage constructively or behave unreasonably in the negotiation process and so avoid paying the licence fees to which the SEP owner is properly entitled, a process known as “hold-out”.

Furthermore, Huawei argues that imposition of a global license on terms set by a national court based on a national finding of infringement is wrong in principle. It also states that there is currently an ongoing patent litigation in both Germany and China and that there are some countries where UP holds “no relevant” patents at all.

In response to these contentions, the Court of Appeal has held that it may be highly impractical for a SEP owner to seek to negotiate a license of its patent rights in each country and rejected the submission made by Huawei that the approach adopted by Birss in these proceedings is out of line with the territorial nature of patent litigations. It clarified that Birss did not adjudicate on issues of infringement or validity concerning foreign SEPs and did not usurp the rights of foreign courts. It further observed that such an approach of Birss  is consistent with the Council and the European Economic and Social Committee dated 29 November 2017 (COM (2017) 712 final) (“the November 2017 EU Communication”) which notes in section 2.4:

For products with a global circulation, SEP licences granted on a worldwide basis may contribute to a more efficient approach and therefore can be compatible with FRAND.

The Court of Appeal however disagreed with Birss on the issue that there was only one set of FRAND terms. This view of the bench certainly comes as a relief since it seems to appropriately reflect the practical realities of a FRAND negotiation. The Court held:

Patent licences are complex and, having regard to the commercial priorities of the participating undertakings and the experience and preferences of the individuals involved, may be structured in different ways in terms of, for example, the particular contracting parties, the rights to be included in the licence, the geographical scope of the licence, the products to be licensed, royalty rates and how they are to be assessed, and payment terms. Further, concepts such as fairness and reasonableness do not sit easily with such a rigid approach.

Similarly, on the non- discrimination prong of FRAND, the Court of Appeal agreed with Birss that it was not “hard-edged” and the test is whether such difference in rates distorts competition between the licensees. It also noted that the “hard-edged” interpretation would be “akin to the re-insertion of a “most favoured licensee” clause in the FRAND undertaking” which does not seem to be what the standards body, European Telecommunications Standards Institute (ETSI) had in mind when it formulated its policies. The Court also held :

We consider that a non-discrimination rule has the potential to harm the technological development of standards if it has the effect of compelling the SEP owner to accept a level of compensation for the use of its invention which does not reflect the value of the licensed technology.

Finally, the Court of Appeal held that UP did not abuse its dominant position just because it failed to strictly comply with the safe harbor framework laid down by Court of Justice of the European Union in Huawei v. ZTE. The only requirement that must be satisfied before proceedings are commenced by the SEP holder is that the SEP holder give sufficient notice to or consult with the implementer.

The Court of Appeal’s decision offers some significant guidance to the emerging policy debate on FRAND. As mentioned at the beginning of this post, the decision is significant particularly for the reason that UP is one of a total of two cases in the last two years, where an injunctive relief has been granted in instances involving standard essential patents. Such reliefs have been rarely granted in years in the first place. The second such instance of a grant of injunction pertains to Huawei v. Samsung where the Shenzhen Court in China held earlier this year that Huawei met the FRAND obligation while Samsung did not (negotiations were dragged on for 6 years). An injunction was granted against Samsung for infringing two of Huawei’s Chinese patents which are counterparts of two U.S. asserted patents (however Judge Orrick of the U.S. District Court for the Northern District of California enjoined Huawei from enforcing the injunction).

Current jurisprudence on injunctive relief with respect to FRAND encumbered SEPs is that there is no per se ban on these reliefs. However, courts have been very reluctant to actually grant them. While injunctions are statutory remedies, and granted automatically in most cases when a patent is found to be infringed, administrative agencies and courts have held a position that shows that FRAND commitments certainly limit this premise.

Following the eBay decision in the U.S., defendants in infringement claims involving SEPs have argued that permanent injunctions should not be available for FRAND-encumbered SEPs and were upheld in cases such as Apple v. Motorola in 2014 (where Judge Randall Radar also makes a sound case for evidence of a hold out by Apple in his dissenting order). However, in an institutional bargaining framework of FRAND, which is based on a mutuality of considerations, such a recourse is misplaced and likely to inevitably disturb this balance. The current narrative on FRAND that dominates policymaking and jurisprudence is incomplete in its unilateral focus of avoiding the possible problem of a patent hold up in the absence of concrete evidence indicating its probability. In Ericsson v D-Links Judge Davis of the US Court of Appeals for the Federal Circuit underscored this point when he observed that “if an accused infringer wants an instruction on patent hold-up and royalty stacking [to be given to the jury], it must provide evidence on the record of patent hold-up and royalty stacking.”

Remedies emanating from a one sided perspective tilt the bargaining dynamic in favour of implementers and if the worst penalty a SEP infringer has to pay is the FRAND royalty it would have otherwise paid beforehand, then a hold out or a reverse hold up by implementers becomes a very profitable strategy. Remedies for patent infringement cannot be ignored because they are also core to the framework for licensing negotiations and ensuring compliance by licensees. A disproportionate reliance on liability rules over property rights is likely to exacerbate the countervailing problem of hold out and detrimentally impact incentives to innovate, ultimately undermining the welfare goals that such enforcement seeks to achieve.

The Court of Appeal has therefore given valuable guidance in its decision when it noted:

Just as implementers need protection, so too do the SEP owners. They are entitled to an appropriate reward for carrying out their research and development activities and for engaging with the standardization process, and they must be able to prevent technology users from free-riding on their innovations. It is therefore important that implementers engage constructively in any FRAND negotiation and, where necessary, agree to submit to the outcome of an appropriate FRAND determination.

Hopefully this order brings with it some balance in FRAND negotiations as well as a shift in the perspective of courts in how they adjudicate on these litigations. It underscores an oft forgotten principle that is core to the FRAND framework- that FRAND is a two-way street, as was observed in the celebrated case of Huawei v. ZTE in 2015.

In Apple, China, European Union, Google, Intellectual Property, International, Patent, Platforms, Standard Setting, Telecommunications, Truth on the Market, United Kingdom , , , , , , ,
permalink