A European court has ruled that an agreement between the U.S. and Europe around how data is stored and transferred between the two regions is “invalid.”
The “Safe Harbor” principles is a system devised by the U.S. to help companies comply with the European Commission’s (E.C) Directive on Data Protection, which came into effect in 1998. The directive essentially prohibits the transfer of personal data outside the European Union (E.U.) to countries that don’t adhere to the E.U.’s “adequacy” standard for privacy protection.
However, the process is incongruous to privacy standards and legislation in other markets, such as the U.S. — where many major online companies, including Facebook, Google, and Twitter, store user data from around the world. And this is why the U.S. Department of Commerce drew up the Safe Harbor agreement, in consultation with Europe — to help ease trans-Atlantic transactions by letting companies “self-certify” that they comply with the E.U. Directive.
Today’s ruling came about after Austrian law student and privacy campaigner Max Schrems challenged Facebook in Ireland, where the social network’s European headquarters is based, arguing that the National Security Agency’s (NSA) surveillance programs revealed by whistleblower Edward Snowden violated his privacy.
The Irish supervisory authority (the Data Protection Commissioner) rejected the case, citing the Safe Harbor agreement, but the High Court of Ireland asked the Court of Justice of the European Union (CJEU) in Luxembourg to rule on whether national authorities were prevented from investigating a complaint that alleges the U.S. doesn’t ensure an adequate level of protection, and to suspend the “contested transfer of data.”
The CJEU found [emphasis ours]:
“The Court of Justice holds that the existence of a Commission (European Commission) decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the directive.”
In other words, the CJEU says that national authorities can, and should, rule on cases on an individual basis.
— Max Schrems (@maxschrems) October 6, 2015
It’s worth noting that today’s ruling doesn’t necessarily mean that the Safe Harbor principles are dead in the water, however; it just means that local authorities in each country must consider cases, and cannot simply permit the transfer of data to the U.S. purely because a company is (self) certified by Safe Harbor.
The Court of Justice states that local law enforcement requirements in the U.S., including those pertaining to public interest and national security, ultimately prevail over Safe Harbor, so that “United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements.” In short, the Safe Harbor scheme is massively weighted in favor of the U.S. and is prone to interference from authorities.
This now means that the original Irish supervisory authority must examine Mr. Schrems’ complaint, though it could find that the U.S. affords an adequate level of protection of personal data. Only time will tell. If the ruling falls in Schrems’ favor, other E.U. national courts will look to this as a precedent, so it will prove a pivotal case.
“In declaring the old ‘safe harbour’ rules invalid, the significance of the judgment extends far beyond the case presently pending in Ireland,” said Ireland’s Data Protection Commissioner, Helen Dixon. “In that regard, my Office will immediately engage with our colleagues in other national supervisory authorities across Europe to determine how the judgment can be implemented in practice, quickly and effectively, particularly insofar as it impacts on EU/US data transfers.”
However, Dixon added that the judgement in Schrems’ case “will now be considered by the Irish High Court” and will “bring the case back as soon as practicable.”