The European Court of Justice struck down the EU-US data sharing agreement known as Safe Harbour this morning (6 October) in a blistering critique of the US government for “compromising the essence of the fundamental right to respect for private life”.
The ECJ ruled the 15-year-old agreement illegal on the basis of the inadequate protection given to Europeans’ data once it’s transferred to the US. Safe Harbour allows companies to transfer consumers’ personal data from Europe to the US if they vouch for adequate privacy standards. More than 4,000 companies have used the agreement to operate in Europe.
According to the ECJ decision, Safe Harbour undermined the ability of national data protection authorities to determine whether data transfers to the US had privacy safeguards up to EU legal standards.
The court ruled that US authorities violate Europeans’ fundamental rights when “national security, public interest and law enforcement requirements of the United States prevail over the Safe Harbour scheme.”
EU citizens’ fundamental right to judicial review is also violated by US authorities’ access to their data, the court decided.
An Irish court referred the Safe Harbour case to the ECJ last year after 27-year-old Austrian law graduate Max Schrems filed a complaint against Facebook with Irish authorities in 2013.
Following Edward Snowden’s leaks, Schrems argued that Facebook abused his privacy rights by transferring his data to the US. Snowden revealed the cooperation between US technology companies and government intelligence agencies. Facebook’s European headquarters is in Ireland.
The ECJ said the Irish court must take up Schrems’ case again.
Schrems said following the ECJ verdict, “This decision is a major blow for US global surveillance that heavily relies on private partners. The judgement makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights.”
Schrems also called the ruling a “milestone” for legal challenges to surveillance in EU member states.
The ECJ decision came on the heels of a 23 September opinion issued by ECJ Advocate General Yves Bot, which slammed Safe Harbour, and called it illegal.
The two-week turnaround after Bot’s opinion is significantly shorter than the average two-month interval separating advocate generals’ opinions from final ECJ decisions.
An EU official told EURACTIV one reason for the hurried lead-up to the verdict is that two ECJ judges end their terms today, and the Safe Harbour decision was a last opportunity for them to rule on a prominent case.
The US Mission to the EU lashed out last week against Bot’s opinion in a pointed rejection of his accusations about surveillance. “The United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens,” the statement read.
The ECJ decision did not take on some details of Bot’s analysis of US intelligence agencies’ surveillance programmes. In his opinion, Bot explicitly named the NSA’S PRISM programme exposed by Snowden.
The European Commission and its US counterparts have been slowly ploughing through prolonged negotiations for almost two years to strike a new Safe Harbour deal.
In 2013, the Commission outlined 13 points in the agreement that it wanted to address in talks with US officials. This summer, a renegotiated deal was stalled when the US refused to budge on points related to data sharing with law enforcement agencies.
A Facebook spokesperson said after the ruling, “This case is not about Facebook.”
“It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security,” the Facebook spokesperson added.
With Safe Harbour toppled by Schrems’ case against the social media giant, US-based companies and other firms transferring consumer data to the US are looking for alternative ways to legally operate in the EU.
“There is already a bit of a scramble going on as to what the plan b should be,” said Eduardo Ustaran, a privacy law specialist at multinational law firm Hogan Lovells.
Susan Danger, managing director of the American Chamber of Commerce to the EU, called for fast legal alternatives to make sure businesses aren’t left stranded.
“By immediately invalidating Safe Harbour, international business could be severely disrupted unless the EU Institutions and Data Protection Authorities offer alternative mechanisms and a reasonable transition period. Otherwise, the judgement could have far-reaching repercussions for consumers, employers and employees,” Danger said.
For some of those companies, Ustaran said sealing binding corporate rules with data processors in the US will be a way to keep business running in Europe and meet data privacy standards through contract agreements.
Companies that choose that route, even temporarily, while they wait for a new Safe Harbour agreement, will be in for stricter oversight over how they handle consumers’ personal data.
“With Safe Harbour you don’t have to go through an authorisation process. It allows companies to just say they’re doing it and they’re never scrutinised,” Ustaran said.
If companies resort to contracts to continue data transfers to the US, those would be individually subject to legal scrutiny, he added.
Data protection authorities in EU member states will play a big role in how the ECJ decision goes into effect. The court’s ruling struck down the Safe Harbour agreement, but it doesn’t automatically determine whether specific companies have broken the law by transferring data to the US.
“The ones that have the power to rule on specific transfers are the data protection authorities, so it’ll be up to them how to push the decision,” said Ustaran.
As of Tuesday morning, a half hour after the ECJ decision, the US Department of Commerce website was down that listed companies using Safe Harbour.
The ECJ decision on Safe Harbour comes during the final months of negotiations over the EU data protection regulation, which officials have said they want to finish by the end of this year. The regulation will also affect data transfers to countries outside the EU.
Several technology companies have lobbied in recent months against an article that would only allow them to share data with foreign law enforcement agencies if EU authorities sign off on it.