Europe’s Top Court Suspends Trans-Atlantic ‘Safe Harbor’ Data-Transfer Pact (10/6)     Print Email

From Google to Apple, U.S. Companies Face Countless Challenges from Europeans Asserting Privacy Violations

By James D. Spellman, Strategic Communications LLC

Europe’s highest court suspended immediately (October 5, 2015) a “Safe Harbor” agreement between the United States and the European Union that had allowed U.S. businesses to transfer personal data of European citizens to the United States.

Already telegraphed by a court adviser two weeks before, the decision triggered a scramble by thousands of U.S. companies as diverse as Facebook, Google, Apple, and Amazon to examine how they would restructure their operations to handle the personal information of their EU-based customers as they braced for a tsunami of complaints from Europeans who will likely file grievances now with their national data protection watchdogs. 

The European Court of Justice ruled that the Safe Harbor was invalid because it prevents member-states’ governments from intervening on behalf of citizens who complain their privacy has been violated. (See press release below.)  All member-states of the European Union have signed the European Convention on Human Rights, which, under Article 8, grants the right to respect for one's "private and family life, his home and his correspondence," subject to certain restrictions.  The one-paragraph ECJ  ruling says that “the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities.” 

spellman201510chart21

Established fifteen years ago, the Safe Harbor agreement created a single, EU-wide legal framework for the transatlantic sharing of information.  It required that organizations collecting and using information about individuals tell them why the information is collected, provide a choice to opt out of having their personal information disclosed to a third party, provide means for correcting or deleting inaccurate information, and establish reasonable precautions to protect the information from loss or unauthorized access.

Court observers said the speed at which the ECJ issued a decision after publication of the Advocate General’s opinion was highly unusual.[1]  Yves Bot had advised:  "It is apparent from the findings of the High Court of Ireland and of the (European) Commission itself that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection." [2] 

The ECJ’s ruling follows another landmark decision (Google v. Spain) it made in May 2014, which affirmed that Europeans have the “right to be forgotten.” This means Europeans can demand that search engines such as Google and Bing remove private information that is “inadequate, irrelevant or no longer relevant.”  The court cited the EU’s fundamental right to privacy as the basis for its decision.  As “a general rule,” the court said, the right to privacy should take precedence over the public’s right to find information.

Abolishment of the Safe Harbor stems from the case filed by Max Schrems, a 27-year-old Austrian law student, following the 2013 Snowden revelations about U.S. government data surveillance.  He filed the case in Ireland, Facebook’s European headquarters. After the Irish court rejected his suit, he appealed to the ECJ.  US laws and practices do not protect personal data stored from being surveilled by state and federal governments, he asserted.  The US National Security Agency through its PRISM program had unrestricted access to data stored on US-based servers owned and controlled by Internet companies, including Facebook, his complaint continues.

"This decision is a major blow for U.S. global surveillance that heavily relies on private partners. The judgment makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights," Schrems said in a statement posted on his Twitter account after the ECJ ruling.

The ECJ decision doesn’t order an immediate end to those personal data transfers, but has enormous ramifications in three areas:  EU member-states are free to implement their own national laws and regulations to govern how their citizens’ data can be handled; member-states can block transfer of data from their countries to the United States, which may force U.S.-based companies to set up operations in each EU member-state to handle only the data of that country’s citizens; and, more complications will emerge after Ireland’s data protection enforcer examines how Facebook has handled customers’ data and its transfer to the United States.

“The United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens," said the U.S. Mission to the European Union in a statement.  The PRISM surveillance program is "targeted against particular valid foreign intelligence targets, is duly authorized by law, and strictly complies with a number of publicly disclosed controls and limitations…. The Advocate General’s opinion rests on numerous inaccurate assertions about intelligence practices of the United States.”[3]  The mission questioned the findings of fact by the Irish High Court of Justice, which the Advocate General had relied on in structuring his counsel.

The ruling could "unintentionally tilt the global privacy and data protection landscape to make the EU the global center of gravity," said Jim Koenig of Paul Hastings, a Washington, D.C.-based law firm.

 “It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security,” Facebook said.

“Companies will be working in a legal vacuum,” said Paul Meller, communications director for Digital Europe. “Many companies would be exposing themselves to legal action.”



[1] “Court of Justice of the EU Decision on Safe Harbor Expected October 6.”  National Law Review, September 29, 2015.  http://www.natlawreview.com/article/court-justice-eu-decision-safe-harbor-expected-october-6#sthash.faRmyjO5.dpuf .  Also:  Julia Fioretti, “Court adviser deals major blow to EU-U.S. data share deal.”  Reuters, September 23, 2015.  http://www.reuters.com/article/2015/09/23/us-ireland-eu-privacy-idUSKCN0RN0O720150923