The European Court of Justice (ECJ) invalidated the Safe Harbor framework between the United States and the European Union that, for the past fifteen years, has enabled the movement of Europeans’ data across the Atlantic. As the business community seeks clarification about what rules will apply going forward, both the White House and the European Commission promised that they will continue work on a new agreement.
The case began in 2013 when Austrian law student Max Schrems complained to the Irish data protection commissioner that his Facebook data was inadequately protected when it moved to U.S. servers, citing Edward Snowden’s leaks about widespread NSA surveillance. The Irish commissioner rejected Schrems’s complaint on the grounds that the European Commission had determined in 2000 that the Safe Harbor framework adequately protected EU citizens’ data. On appeal, the Irish High Court referred to the ECJ the question of whether a national data protection authority is bound by the Commission’s finding.
Yesterday, the ECJ ruled the Safe Harbor agreement invalid because it places “national security, public interest or law enforcement requirements” over privacy principles. The court found that the European Commission had approved the pact without making a determination that U.S. law provides adequate privacy protection for European citizens. It also ruled that each data protection authority in the European Union may examine whether a transfer complies with EU privacy rules and, if it deems that it does not, raise the issue with its national court that can then refer it to the ECJ for a ruling. However, the ECJ made clear that only it can issue a final determination that a country does not offer “adequate” protection for personal data.
What are the implications of the decision?
First, U.S. and EU negotiators will attempt to put Humpty Dumpty back together again by updating the Safe Harbor framework. Both sides have been renegotiating the agreement since the Snowden revelations. Negotiators were reportedly close to an agreement when they got wind of the breadth of the upcoming ECJ decision. The Commission may now attempt to use the decision to gain more leverage in these negotiations. However, Congress is already considering bipartisan legislation that would provide U.S. Privacy Act protections to European citizens.
Second, the spotlight is now on European national data protection regulators. In addition to their new ability to examine data transfers, they have a role approving other mechanisms companies may deploy to replace Safe Harbor, including binding corporate rules for intra-company transfers of personal data. In a number of EU countries, national regulators also have the power to confirm whether model clauses are being used to transfer personal data to the United States and other third countries. Today, many of these national authorities have backlogs of several months. It is unclear if they will order suspension of transfers of personal data to the United States under model clauses arrangements until they work through what would surely become a much bigger backlog.
Third, this decision is a direct fallout of Edward Snowden’s revelations of NSA surveillance. Experts within and outside the U.S. government have argued that the ECJ based its ruling on erroneous factual assumptions regarding the nature and oversight of U.S. surveillance. Moreover, they note that the United States provides adequate privacy protections, especially in comparison to European countries many of which have no independent data protection oversight of law enforcement and intelligence surveillance. The ECJ also based its decision on a 2013 European Commission report on U.S. surveillance, parts of which are outdated given U.S. surveillance reforms spurred by President Obama’s 2014 executive order. Robert Litt, general counsel for the Office of the Director of National Intelligence, wrote an opinion piece for the Financial Times before the ruling to argue that the surveillance program at issue in the ECJ’s decision “does not give the U.S. ‘unrestricted access’ to data.”
Meanwhile, privacy advocates are citing the decision to prod Congress to engage in much broader reform U.S. surveillance programs. Jens Henrik-Jeppesen, director of European affairs for the Center for Democracy and Technology, for example, said “There is a clear need for the U.S. and Europe to set clear, lawful and proportionate standards and safeguards for conducting surveillance for national security purposes.”
In the end, the ECJ’s willingness to invalidate the Safe Harbor framework underscores the unpredictable outcomes of the proposed reforms to European data protection regulation, new intra-European tax rules on digital goods, or the competition cases involving U.S. tech giants. Europe appears willing to act to protect its interests even if it means upsetting established business conventions.