Skip to content

Legal Report January 2016


Data Transfer. The European Court of Justice struck down the European Union (EU) Commission's Safe Harbor agreement with the United States, declaring it invalid in a recent ruling.

Under the Data Protection Directive, personal data can be transferred out of the EU to a third country only if that country ensures an adequate level of protection of the data, such as through domestic law or international commitments. The directive also requires that EU member states designate one or more public authorities to monitor the application within their territory to ensure data protection.

Using these guidelines, the United States and the EU reached a Safe Harbor agreement, which allowed companies to move data by self-certifying that their data practices were equivalent to the protections required under the directive.

However, these protections came under fire following the revelations made by Edward Snowden, former contractor for the National Security Agency (NSA), about the activities of U.S. intelligence services.

After Snowden's information was released in 2013, Maximillian Schrems, an Austrian citizen and Facebook user, filed a complaint with the Irish supervisory authority (the data protection commissioner) that the United States did not offer "sufficient protection against surveillance by the public authorities of the data transferred to that country," according to court documents.

Schrems filed his complaint with Ireland because his data from Austria was transferred from Facebook's Irish subsidiary to servers located in the United States, where it was then processed.

The Irish data protection commissioner initially rejected Schrems' claim, saying that under a July 2000 EU Commission decision—the Safe Harbor Decision—the United States ensures an adequate level of protection of personal data that's transferred. Schrems appealed the decision, first to the High Court of Ireland and then to the European Court of Justice, the EU's highest court.

The Court of Justice ultimately ruled in Schrems' favor, finding the Safe Harbor Decision invalid, on the grounds that no EU Commission decision can reduce the authority of a national data protection authority to enforce data protection rights that are guaranteed under the Data Protection Directive.

The court further said the Safe Harbor agreement with the United States is invalid because U.S. public authorities are not subject to it. Instead, "national security, public interest, and law enforcement requirements of the United States prevail over the Safe Harbor scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements," the court explained.

"The United States Safe Harbor scheme thus enables interference, by United States public authorities, with the fundamental rights of persons and the commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference."

The Irish data protection commissioner will be required to examine Schrems' complaint to decide if the transfer of data of Facebook's European users to the United States should be suspended.

The ruling also places into question whether the method that companies currently use to transfer data between the EU and the United States is still legal. (Schrems v. Data Protection Commissioner, European Union Court of Justice, No. C-362/14, 2015)​


Deepwater Horizon. BP will pay $20.8 billion to settle civil claims by the United States and five Gulf states in the largest settlement with a single entity in the U.S. Department of Justice's history.

The settlement stems from claims that were brought against BP after the April 20, 2010, explosion of the Deepwater Horizon drilling rig, which killed 11 men and sent more than 3 billion barrels of oil into the Gulf of Mexico over the following three months.

After the disaster, then Attorney General Eric Holder announced a civil lawsuit against BP and several codefendants seeking to hold them responsible. This culminated in a three-phase trial where the United States proved that the spill was caused by BP's negligence.

Under the terms of the proposed consent decree, BP will pay a $5.5 billion federal Clean Water Act penalty with interest, $8.1 billion in natural resource damages, $700 million to address any later-discovered natural resource conditions that were unknown at the time of the agreement, and $600 million for other claims.

Alabama, Florida, Louisiana, Mississippi, and Texas also filed civil claims against BP related to the spill, including claims for economic losses and natural resource damages. BP entered separate agreements with the states, and will pay $4.9 billion to them and up to a total of $1 billion to several hundred local government bodies.

"Building on prior actions against BP and its subsidiaries by the Department of Justice, this historic resolution is a strong and fitting response to the worst environmental disaster in American history," said Attorney General Loretta Lynch in a statement. (U.S. v. BP Exploration and Production, U.S. District Court for the Eastern District of New Orleans, No. 10-4536, 2015)​


Transportation safety. President Barack Obama signed legislation (H.R. 720) into law that requires a U.S. Department of Homeland Security assistant secretary to verify that airports and surface transportation systems have individualized working plans in place for responding to security incidents inside their perimeters.

These plans must include response plans for active shooters, acts of terrorism, and incidents that target passenger-screening checkpoints. The plans must also have a strategy for evacuating and providing care to people inside the perimeter of the system, a schedule for regular testing of communications equipment, and a method and plan to communicate with travelers and others inside the perimeter of the system, among other requirements.

The assistant secretary will then use these plans to identify best practices for security incident planning, management, and training, and establish a mechanism to share those best practices with airport operators and passenger transportation agencies nationwide.

Airport security. The U.S. House of Representatives passed legislation that would limit airport employees' access to secure areas within airport facilities.

The bill (H.R. 3102) directs the Transportation Security Administration (TSA) to create a risk-based, intelligence-driven model for screening airport employees based on the level of employment-related access to Secure Identification Display Areas, Airport Operations Areas, or secure areas at U.S. airports.

The bill requires TSA to establish a program to allow airport badging offices to use E-Verify to determine eligibility of all applicants seeking access to secure areas to work in the United States, create a process to transmit applicants' fing​erprint data to a federal office for vetting, and assess credential application data received by the U.S. Department of Homeland Security to ensure it is complete and matches data submitted by airport operators, among other measures.

Rep. John Katko (R-NY) introduced the bill, which has two cosponsors—Rep. Kathleen Rice (D-NY) and Rep. Michael McCaul (R-TX). It will now move to the Senate for consideration.​


United Kingdom

Whistleblowers. The United King­­­dom's Financial Conduct Authority (FCA) issued new whistleblower rules for deposit-takers (banks, building societies, and credit unions) with more than £250 million (approximately $380 million) in assets and insurers subject to the Solvency II directive—a European Union directive that codifies insurance regulation.

These institutions are required to appoint a whistleblowers' champion, make arrangements to handle all types of disclosures, explain that workers have a legal right to blow the whistle, and tell U.K.-based employees about the whistleblowing services.

Additionally, the measures require these institutions to annually present to their boards on whistleblowing, and inform the FCA when they lose an employment tribunal claim with a whistleblower.

"These rules aim to encourage a culture where individuals feel able to raise concerns and challenge poor practice and behavior," said Tracey McDermott, acting FCA chief executive, in a statement. The measures will go into effect in September 2016.