A crucial data protection agreement between the European Union and the US has been declared invalid in a move that could spell trouble for US-based internet giants such as Facebook, Google or Microsoft with huge business operations within the EU, and thousands of other US firms working in Europe.
The European Court of Justice (ECJ) has ruled invalid the Safe Harbour agreement, under which US firms transferring data between the US and EU member states were considered to offer sufficient safeguards to comply with European data protection law.
The court’s ruling follows what ECJ Advocate General Yves Bot, the European Commission and the European Parliament have previously acknowledged, and which has been emphasised by the US state surveillance revealed in documents leaked by Edward Snowden: safeguards on personal data in the US are lacking. In its ruling the ECJ stated that: “The United States … scheme enables interference, by United States public authorities, with the fundamental rights of persons”.
The case originates in a complaint brought to the Irish Data Protection Commissioner by the Austrian citizen Max Schrems against Facebook (based in Ireland). Schrems argued that Facebook should be prohibited from transferring personal data to the US due to the surveillance activities of the US government. The legal issues raised by the complaint needed to be addressed by the ECJ and, now that it has handed down its ruling, the case between Max Schrems and the Irish Data Protection Commissioner will come before the High Court.
How safe is Safe Harbour?
The EU Data Protection Directive prohibits the transfer of personal data to countries outside the EU that do not have an adequate level of data protection regulations in place. Until this ECJ ruling, some held the view that national data protection authorities (such as the Irish Data Protection Commissioner in this case) did not have the power to determine whether data protection in the US was adequate. In fact the Safe Harbour decision included a framework to enable US companies to self-certify compliance with EU data protection rules.
Of course, this case and others, and the Snowden revelations, highlight how inadequate compliance is. European Commission Vice President Viviane Reding noted in January 2014:
We kicked the tyres and saw that repairs are needed. For Safe Harbour to be fully roadworthy the US will have to service it. This summer, we will see how well those repairs were carried out. Safe Harbour has to be strengthened or it will be suspended.
In March 2014, the European Parliament called for a suspension of the Safe Harbour Agreement, while the Center for Digital Democracy filed a complaint with the US Federal Trade Commission (FTC) highlighting the widespread non-compliance of 30 US companies.
The ECJ ruling is significant in two respects. It reinforces that the right to privacy guaranteed by Articles 7 and 8 of the European Charter of Fundamental Rights should not be infringed when data is processed outside the EU. Privacy policies must state that users are effectively protected against the risk of abuse and or unlawful access of that data. It also implies that anyone who is concerned their personal data has been misused should have a legal or judicial remedy.
But business goes on
The ECJ ruling, which is effective immediately, carries three implications.
First, if the Safe Harbour agreement is invalid then data protection authorities can pursue US firms over privacy or data protection complaints. In fact the ECJ ruling essentially requires all member states to undertake an assessment of the adequacy of protections in the case of cross-border data transfers.
Second, cross-border data transfers, while not prohibited, will no longer be a tick-box exercise for self-compliance. It is anticipated that the Article 29 Working Party, which looks into personal data protection issues, may more closely examine US companies’ compliance with the latest guidance notes.
Third, looking to the future there is no doubt that the EU and US will need to review the current self-certification and self-regulation mechanisms, which will have to demonstrate that they’re transparent, proportionate and fair.
The ECJ ruling provides a clear reminder of the far-reaching significance of human rights legislation in European data protection law, and the role of the courts in upholding them. It won’t go down well in the US, where there is the view that it ignores the considerable reforms to how US intelligence agencies conduct their data gathering activities. The Privacy and Civil Liberties Oversight Board in its reassessment of US intelligence law, identified measures designed to deal with indiscriminate data gathering activities.
For now, it may appear that this is the end of business as usual for the Safe Harbour agreement, but in truth a single legal answer will not solve the complexities of ensuring data protection to European standards can be managed in other countries. A day for upholding fundamental human rights principles, but the hard practicalities lie ahead.