EU Court Invalidates U.S.-EU Data Sharing AgreementPost-Snowden Case Against Facebook Leads to Ruling
The Court of Justice of the European Union ruled Oct. 6 that the EU-U.S. data sharing agreement, known as Safe Harbor, is invalid because the United States has failed to ensure that its "law and practices ... ensure an adequate level of protection" for Europeans' right to privacy.
See Also: 2016 Social Engineering Report
The Safe Harbor policy, established in 2000, regulates how U.S. companies can handle Europeans' personal information. But the agreement came under fire from privacy and civil rights groups in the wake of mass surveillance revelations tied to documents leaked by National Security Agency whistleblower Edward Snowden.
Privacy rights groups and some EU legislators have lauded the European Justice Court's new ruling. But the judgment has triggered concern from some businesses, who warn that they will remain stuck in legal limbo until the European Commission creates a new framework to allow U.S. businesses to import Europeans' private information.
The ruling by Europe's high court is the culmination of a legal challenge against Facebook, launched by Austrian privacy campaigner Max Schrems, 28, who pointed to documents leaked by Snowden that suggested Europeans' private information was being shared with U.S. intelligence agencies (see Facebook NSA Case Moves to EU Court).
The complaint by Schrems claimed that Facebook, which has European operations based in Ireland, was transferring his personal information to U.S.-based servers, thus making private details about him illegally available to U.S. intelligence agencies. But Ireland's data commissioner declined to hear his case on the grounds that Schrems could produce no proof that his personal data had been accessed by the NSA, and because any data sharing would have been allowed under the Safe Harbor agreement.
Ruling: Safe Harbor 'Invalid'
Europe's high court, however, has now ruled that Ireland's data commissioner should have heard the case, saying the Safe Harbor agreement did not override either Europe's data protection directive or Ireland's responsibility to serve as an independent body that supervises whether Europeans' privacy rights are being respected.
"The court declares the Safe Harbor Decision invalid," it said in its judgment. "The Irish supervisory authority is required to examine Mr. Schrems' complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook's European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data."
Schrems has lauded the ruling. "I very much welcome the judgment of the court, which will hopefully be a milestone when it comes to online privacy. It clarifies that mass surveillance violates our fundamental rights," he said. "This decision is a major blow for U.S. global surveillance that relies heavily on private partners. The judgment makes it clear that U.S. businesses cannot simply aid U.S. espionage efforts in violation of European fundamental rights."
Responding to the ruling, Facebook issued a statement noting that Europe's high court found "that Facebook has done nothing wrong," and framed the judgment in terms of bigger-picture questions about "transatlantic data flows."
Now, it's up to EU governments to interpret the court's judgment. Ireland's current data protection commissioner, Helen Dixon, said that she also welcomed the ruling, noting that while many of the related issues are complex, "what is immediately clear is that the court has reiterated the fundamental importance attaching to the right of individuals to the protection of their personal data."
Dixon said that with the court ruling that the old Safe Harbor rules are invalid, her office would now work with other data protection authorities across Europe "to determine how the judgment can be implemented in practice, quickly and effectively, particularly insofar as it impacts on EU/U.S. data transfers."
The White House, meanwhile, says it will work with European officials to update Safe Harbor as quickly as possible, although it has so failed to address the mass surveillance fears that underlie the court's ruling. "We are deeply disappointed in today's decision from the European Court of Justice, which creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy," says U.S. Secretary of Commerce Penny Pritzker. "We are prepared to work with the European Commission to address uncertainty created by the court decision."
Follows Snowden Revelations
Privacy expert attorney Eduardo Ustaran, a London-based partner in the global privacy and information management practice at the law firm Hogan Lovells, says the EU high court's ruling is a direct result of Snowden's revelations.
My initial #SafeHarbor reactions: #1 Invalidity based on perceived excessive interference with EU fundamental rights. Simple as that.ï¿½ Eduardo Ustaran (@EUstaran) October 6, 2015
Numerous legal and privacy experts have also noted that Safe Harbor was intended to allow Europeans' private information to be used by businesses, not intelligence agencies. "Today's CJEU ruling is essentially a proxy judgment of U.S. surveillance law, finding that it falls afoul of European human rights standards," says London-based independent human rights attorney Carly Nyst via Twitter.
A similar case filed by Amnesty International - and other privacy and civil rights groups - against the U.K.'s Government Communications Headquarters, accusing it of conducting illegal mass surveillance, is still due to be heard by Europe's high court (see Ruling: GCHQ-NSA Data Sharing Illegal). Nyst says in the wake of the court's decision over Schrems' complaint, it's "hard to see how U.K. surveillance laws will pass muster" when the court hears that case.
Businesses Seek New Framework
Many businesses with operations in Europe have responded with alarm over the ruling. "The ability to transfer data easily and securely between Europe and the U.S. is critical for businesses in our modern data-driven digital economy," says Matthew Fell, who's a director at U.K. business lobby CBI. "Businesses will want to see clarity on the immediate implications of the ECJ's decision, together with fast action from the Commission to agree [on] a new framework. Getting this right will be important to the future of Europe's digital agenda, as well as doing business with our largest trading partner."
Facebook, the social network that was the focus of the complaint that led to this ruling, also said in a statement that it, "like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the U.S. from Europe, aside from Safe Harbor." The company also urged the relevant governments to "resolve any issues relating to national security" and create a new framework "for lawful data transfers."
Experts expect governments on both sides of the Atlantic to now have to rethink their surveillance programs and related oversight mechanisms. "The invalidation of the Safe Harbor agreement should spur governments on both sides of the Atlantic to ratchet up long-overdue reform efforts," says Jens Henrik-Jeppesen, director of European affairs for Washington-based Center for Democracy and Technology, a civil rights group. "There is a clear need for the U.S. and Europe to set clear, lawful, and proportionate standards and safeguards for conducting surveillance for national security purposes."
In the wake of the European high court's ruling, Henrik-Jeppesen says that the U.S. Congress, in particular, will likely have to pass new laws that provide privacy protections to Europeans (see U.S. Plan Would Boost EU Privacy Rights). European negotiators, meanwhile, will no doubt face scrutiny at home relating to whatever new data-sharing agreements they put in place with the United States.