Info Sharing

EU Court Invalidates U.S.-EU Data Sharing Agreement

Post-Snowden Case Against Facebook Leads to Ruling
EU Court Invalidates U.S.-EU Data Sharing Agreement
Privacy activist Maximillian Schrems filed a complaint against Facebook that led to the ruling (Credit: Lukas Beck, europe-v-facebook.org)

The Court of Justice of the European Union ruled Oct. 6 that the EU-U.S. data sharing agreement, known as Safe Harbor, is invalid because the United States has failed to ensure that its "law and practices ... ensure an adequate level of protection" for Europeans' right to privacy.

See Also: API vs. Proxy: Understanding How to Get the Best Protection from Your CASB

The Safe Harbor policy, established in 2000, regulates how U.S. companies can handle Europeans' personal information. But the agreement came under fire from privacy and civil rights groups in the wake of mass surveillance revelations tied to documents leaked by National Security Agency whistleblower Edward Snowden.

Privacy rights groups and some EU legislators have lauded the European Justice Court's new ruling. But the judgment has triggered concern from some businesses, who warn that they will remain stuck in legal limbo until the European Commission creates a new framework to allow U.S. businesses to import Europeans' private information.

The ruling by Europe's high court is the culmination of a legal challenge against Facebook, launched by Austrian privacy campaigner Max Schrems, 28, who pointed to documents leaked by Snowden that suggested Europeans' private information was being shared with U.S. intelligence agencies (see Facebook NSA Case Moves to EU Court).

The complaint by Schrems claimed that Facebook, which has European operations based in Ireland, was transferring his personal information to U.S.-based servers, thus making private details about him illegally available to U.S. intelligence agencies. But Ireland's data commissioner declined to hear his case on the grounds that Schrems could produce no proof that his personal data had been accessed by the NSA, and because any data sharing would have been allowed under the Safe Harbor agreement.

Ruling: Safe Harbor 'Invalid'

Europe's high court, however, has now ruled that Ireland's data commissioner should have heard the case, saying the Safe Harbor agreement did not override either Europe's data protection directive or Ireland's responsibility to serve as an independent body that supervises whether Europeans' privacy rights are being respected.

"The court declares the Safe Harbor Decision invalid," it said in its judgment. "The Irish supervisory authority is required to examine Mr. Schrems' complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook's European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data."

Schrems has lauded the ruling. "I very much welcome the judgment of the court, which will hopefully be a milestone when it comes to online privacy. It clarifies that mass surveillance violates our fundamental rights," he said. "This decision is a major blow for U.S. global surveillance that relies heavily on private partners. The judgment makes it clear that U.S. businesses cannot simply aid U.S. espionage efforts in violation of European fundamental rights."

Responding to the ruling, Facebook issued a statement noting that Europe's high court found "that Facebook has done nothing wrong," and framed the judgment in terms of bigger-picture questions about "transatlantic data flows."

Now, it's up to EU governments to interpret the court's judgment. Ireland's current data protection commissioner, Helen Dixon, said that she also welcomed the ruling, noting that while many of the related issues are complex, "what is immediately clear is that the court has reiterated the fundamental importance attaching to the right of individuals to the protection of their personal data."

Dixon said that with the court ruling that the old Safe Harbor rules are invalid, her office would now work with other data protection authorities across Europe "to determine how the judgment can be implemented in practice, quickly and effectively, particularly insofar as it impacts on EU/U.S. data transfers."

The White House, meanwhile, says it will work with European officials to update Safe Harbor as quickly as possible, although it has so failed to address the mass surveillance fears that underlie the court's ruling. "We are deeply disappointed in today's decision from the European Court of Justice, which creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy," says U.S. Secretary of Commerce Penny Pritzker. "We are prepared to work with the European Commission to address uncertainty created by the court decision."

Follows Snowden Revelations

Privacy expert attorney Eduardo Ustaran, a London-based partner in the global privacy and information management practice at the law firm Hogan Lovells, says the EU high court's ruling is a direct result of Snowden's revelations.

Numerous legal and privacy experts have also noted that Safe Harbor was intended to allow Europeans' private information to be used by businesses, not intelligence agencies. "Today's CJEU ruling is essentially a proxy judgment of U.S. surveillance law, finding that it falls afoul of European human rights standards," says London-based independent human rights attorney Carly Nyst via Twitter.

A similar case filed by Amnesty International - and other privacy and civil rights groups - against the U.K.'s Government Communications Headquarters, accusing it of conducting illegal mass surveillance, is still due to be heard by Europe's high court (see Ruling: GCHQ-NSA Data Sharing Illegal). Nyst says in the wake of the court's decision over Schrems' complaint, it's "hard to see how U.K. surveillance laws will pass muster" when the court hears that case.

Businesses Seek New Framework

Many businesses with operations in Europe have responded with alarm over the ruling. "The ability to transfer data easily and securely between Europe and the U.S. is critical for businesses in our modern data-driven digital economy," says Matthew Fell, who's a director at U.K. business lobby CBI. "Businesses will want to see clarity on the immediate implications of the ECJ's decision, together with fast action from the Commission to agree [on] a new framework. Getting this right will be important to the future of Europe's digital agenda, as well as doing business with our largest trading partner."

Facebook, the social network that was the focus of the complaint that led to this ruling, also said in a statement that it, "like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the U.S. from Europe, aside from Safe Harbor." The company also urged the relevant governments to "resolve any issues relating to national security" and create a new framework "for lawful data transfers."

Reform Needed

Experts expect governments on both sides of the Atlantic to now have to rethink their surveillance programs and related oversight mechanisms. "The invalidation of the Safe Harbor agreement should spur governments on both sides of the Atlantic to ratchet up long-overdue reform efforts," says Jens Henrik-Jeppesen, director of European affairs for Washington-based Center for Democracy and Technology, a civil rights group. "There is a clear need for the U.S. and Europe to set clear, lawful, and proportionate standards and safeguards for conducting surveillance for national security purposes."

In the wake of the European high court's ruling, Henrik-Jeppesen says that the U.S. Congress, in particular, will likely have to pass new laws that provide privacy protections to Europeans (see U.S. Plan Would Boost EU Privacy Rights). European negotiators, meanwhile, will no doubt face scrutiny at home relating to whatever new data-sharing agreements they put in place with the United States.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network