The European Court of Justice struck down the EU-US data sharing agreement known as Safe Harbour this morning (6 October) in a blistering critique of the US government for “compromising the essence of the fundamental right to respect for private life”.
The ECJ ruled the 15-year-old agreement illegal on the basis of the inadequate protection given to Europeans’ data once it’s transferred to the US. Safe Harbour allows companies to transfer consumers’ personal data from Europe to the US if they vouch for adequate privacy standards. More than 4,000 companies have used the agreement to operate in Europe.
According to the ECJ decision, Safe Harbour undermined the ability of national data protection authorities to determine whether data transfers to the US had privacy safeguards up to EU legal standards.
The court ruled that US authorities violate Europeans’ fundamental rights when “national security, public interest and law enforcement requirements of the United States prevail over the Safe Harbour scheme.”
EU citizens’ fundamental right to judicial review is also violated by US authorities’ access to their data, the court decided.
An Irish court referred the Safe Harbour case to the ECJ last year after 27-year-old Austrian law graduate Max Schrems filed a complaint against Facebook with Irish authorities in 2013.
Following Edward Snowden’s leaks, Schrems argued that Facebook abused his privacy rights by transferring his data to the US. Snowden revealed the cooperation between US technology companies and government intelligence agencies. Facebook’s European headquarters is in Ireland.
The ECJ said the Irish court must take up Schrems’ case again.
Schrems said following the ECJ verdict, “This decision is a major blow for US global surveillance that heavily relies on private partners. The judgement makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights.”
Schrems also called the ruling a “milestone” for legal challenges to surveillance in EU member states.
The ECJ decision came on the heels of a 23 September opinion issued by ECJ Advocate General Yves Bot, which slammed Safe Harbour, and called it illegal.
The two-week turnaround after Bot’s opinion is significantly shorter than the average two-month interval separating advocate generals’ opinions from final ECJ decisions.
An EU official told EurActiv one reason for the hurried lead-up to the verdict is that two ECJ judges end their terms today, and the Safe Harbour decision was a last opportunity for them to rule on a prominent case.
The US Mission to the EU lashed out last week against Bot’s opinion in a pointed rejection of his accusations about surveillance. “The United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens,” the statement read.
The ECJ decision did not take on some details of Bot’s analysis of US intelligence agencies’ surveillance programmes. In his opinion, Bot explicitly named the NSA’S PRISM programme exposed by Snowden.
The European Commission and its US counterparts have been slowly ploughing through prolonged negotiations for almost two years to strike a new Safe Harbour deal.
In 2013, the Commission outlined 13 points in the agreement that it wanted to address in talks with US officials. This summer, a renegotiated deal was stalled when the US refused to budge on points related to data sharing with law enforcement agencies.
A Facebook spokesperson said after the ruling, “This case is not about Facebook.”
“It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security,” the Facebook spokesperson added.
With Safe Harbour toppled by Schrems’ case against the social media giant, US-based companies and other firms transferring consumer data to the US are looking for alternative ways to legally operate in the EU.
“There is already a bit of a scramble going on as to what the plan b should be,” said Eduardo Ustaran, a privacy law specialist at multinational law firm Hogan Lovells.
Susan Danger, managing director of the American Chamber of Commerce to the EU, called for fast legal alternatives to make sure businesses aren’t left stranded.
“By immediately invalidating Safe Harbour, international business could be severely disrupted unless the EU Institutions and Data Protection Authorities offer alternative mechanisms and a reasonable transition period. Otherwise, the judgement could have far-reaching repercussions for consumers, employers and employees,” Danger said.
For some of those companies, Ustaran said sealing binding corporate rules with data processors in the US will be a way to keep business running in Europe and meet data privacy standards through contract agreements.
Companies that choose that route, even temporarily, while they wait for a new Safe Harbour agreement, will be in for stricter oversight over how they handle consumers’ personal data.
“With Safe Harbour you don’t have to go through an authorisation process. It allows companies to just say they’re doing it and they’re never scrutinised,” Ustaran said.
If companies resort to contracts to continue data transfers to the US, those would be individually subject to legal scrutiny, he added.
Data protection authorities in EU member states will play a big role in how the ECJ decision goes into effect. The court’s ruling struck down the Safe Harbour agreement, but it doesn’t automatically determine whether specific companies have broken the law by transferring data to the US.
“The ones that have the power to rule on specific transfers are the data protection authorities, so it’ll be up to them how to push the decision,” said Ustaran.
As of Tuesday morning, a half hour after the ECJ decision, the US Department of Commerce website was down that listed companies using Safe Harbour.
The ECJ decision on Safe Harbour comes during the final months of negotiations over the EU data protection regulation, which officials have said they want to finish by the end of this year. The regulation will also affect data transfers to countries outside the EU.
Several technology companies have lobbied in recent months against an article that would only allow them to share data with foreign law enforcement agencies if EU authorities sign off on it.
German MEP Jan Philipp Albrecht [Greens], rapporteur on data protection regulation: ""The European Parliament has already called for 'Safe Harbor' to be scrapped but the European Commission has ignored this demand for a year and a half. It is now high time to pass a strong and enforceable framework for the protection of personal data in the course of the EU data protection reform and make clear to the United States that it hasto deliver adequate legally binding protection in the private sector as well as to introduce juridical redress for EU citizens with regards to their privacy rights in all sectors including national security."
Monique Goyens, director general of the European Consumer Organisation (BEUC): “This is a historic victory for the protection of European data privacy rights. The European Union’s highest court has made it crystal clear: safe harbor is not safe. An agreement which allows US companies to merely declare that they adhere to EU data protection rules without any authority screening this claim is clearly not worth the paper it is written on.”
Dutch MEP Sophie In' t Veld, ALDE First Vice-President and spokesperson for data protection: "Today's ECJ ruling is the nail in the coffin of Safe Harbour. For years now it has been clear for all to see: Safe Harbour does not provide any meaningful privacy protection for EU citizens. It only provides legal clearance for companies to conduct business across the Atlantic. But it is a travesty of legality."
British MEP Timothy Kirkhope, ECR spokesman on data protection: "The result of this ruling could be a patchwork of different regimes across Europe and different interpretations of how data should be stored and used. Court rulings often leave fragmentation in their wake which could be more damaging for businesses and consumers in the long run. Consumers and businesses just want some clear and consistent rules and so far we are failing in our responsibility to provide them."
Peter Olson, president of technology industry association DigitalEurope: “We urgently call on the European Commission and the United States Government to conclude their long-running negotiations to provide a new Safe Harbour agreement as soon as possible. We also call on the European Commission to immediately issue guidance to companies operating under the Safe Harbour framework to ensure that essential and routine commercial activities can occur during the current legal vacuum."
British MEP Catherine Bearder (ALDE): "This is a historic victory against indiscriminate snooping by intelligence agencies, both at home and abroad. In a globalised world, only a strong and binding international framework will ensure our citizens' personal data is secure. Being part of the EU means we can fight for strong safeguards that protect UK citizens' freedom and privacy."
Joe McNamee, director of NGO European Digital Rights: "Safe Harbor was flawed in principle and flawed in practice. After last year’s data retention ruling, this is the second time in two years that the Court of Justice has struck down an instrument that the European Commission had spent years defending."
Susanne Dehmel, director of German tech industry association Bitkom: "Thousands of companies rely on Safe Harbour for their data transfers between Germany and the US. The companies now need legal certainty as fast as possible. They have to know what legal basis they can count on in the future and how much time they need for the transition to other legal bases. A transition from Safe Harbour to other legal methods means an enormous effort for companies.“
Thomas Boué, Director of Policy EMEA, BSA The Software Alliance: "BSA The Software Alliance is very disappointed by today's decision from the Court of Justice of the European Union on the Safe Harbor agreement. We are studying the details of the decision but are very concerned that this decision will have a negative impact not just on providers of data services but will also be harmful to consumers of those services."
Deutsche Telekom: “This ruling has huge implications for data privacy in Europe. The Safe Harbor agreement between the EU Commission and the United States is not viable in its current form. The European Court of Justice (ECJ) has clearly determined that European citizens' data is not adequately protected in the United States. Therefore we need the European General Data Protection Regulation to be implemented quickly to ensure that companies abroad comply with Europe's high data privacy standards.”
European Telecommunications Network Operators' Association (ETNO): "ETNO has been pointing to the weaknesses of the Safe Harbour regime for long and has made proposals to address them. Our digital economy needs legal certainty in this field, especially in light of the significance of transatlantic data flows. Future arrangements should guarantee a high level of data protection and address the opportunities and challenges of the digital era."
Estelle Massé, European policy analyst at NGO Access: “This ruling highlights that the decision to allow the transfer of data outside the EU cannot be left to the discretion of the Commission alone. The Parliament and EU data protection authorities have to be involved.”
Markus J. Beyrer, director general of BusinessEurope: "Today’s court judgment gives rise to great legal uncertainty that must be remedied urgently. It would have very negative consequences for the functioning of the EU Single Market, in any sector of the European economy. EU and US authorities should urgently come up with a revised Safe Harbor framework that addresses the current concerns – in particular by improving transparency and enforcement.”
Existing European rules on data protection were adopted in 1995, when the Internet was still in its infancy.
In January 2012, the European Commission published a vast legislative package aimed at replacing the existing rules and giving greater protection to personal data across the EU.
The package includes two legislative proposals: one general regulation on data protection (directly applicable in all the member states) and one directive specifically aimed at data protection in the police and the justice systems (to be transposed into national law).
Since then, the data protection debate took a new twist with revelations about US eavesdropping activities.
Whistleblower Edward Snowden revealed in 2013 that the NSA had secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called Prism.
European politicians reacted angrily to the news and called for stricter measures to ensure privacy.
Court of Justice of the European Union
- ECJ decision: The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid (6 Oct. 2015)