The Court of Justice of the EU has ruled that Safe Harbor, the major legal instrument for the transfer of personal data to the US, is invalid due to the lack of protections against mass surveillance by the US government.
European data protection law states that companies can only transfer EU citizens’ data to countries that provide an adequate level of protection for this data. The US does not meet its threshold for protection so in 2000 the European Safe Harbor agreement was created to allow the transfer of data between the US and Europe. Companies were allowed to self-certify that they were carrying out the necessary steps.
In 2013, Austrian law student, Max Schrems brought a case against Facebook in Ireland, where the company has its European headquarters. He argued that revelations by NSA whistleblower, Edward Snowden, showed that the NSA were accessing data held by companies like Facebook. As US law did not offer enough protection against this surveillance, his privacy was being violated.
The Irish Data Protection Commissioner rejected Schrems’ case because the Safe Harbor agreement governed the transfer of data. The case was then referred to the Court of Justice of the European Union (CJEU).
The court did not look at the merits of the Safe Harbor agreement, but observed that it only applies to American companies who use it to receive data; US public authorities are not subject to it. The Court found that “national security, public interest and law enforcement requirements of the United States prevail over the safe Harbor scheme”. This means that Safe Harbor by itself cannot guarantee that privacy rights are respected because other laws take precedence.
The Court also found that some of these US laws are too broad and not compatible with our fundamental rights: “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life”.
The judgment echoed the Data Retention Directive judgment from April 2014, with a ‘double lock’ that retention can only take place when it is limited to what is necessary to achieve a specific objective, and accompanied by independent authorisation of access. This goes further than the UK’s recent judgment on data retention, which focused solely on access controls.
The above together with the fact that EU citizens have no legal remedies under those US laws drove the court to declare Safe Harbor invalid. The ruling will force the USA and the EU to look at the protection of privacy for EU citizens when their data is stored in the USA. It places our fundamental rights above trade considerations. This is important when thinking about future trade treaties, which are often controversial because of their potential impact on concerns such as privacy and free expression.
The ruling places greater obligations on data protection authorities - such as the UK’s Information Commissioner - as it says that they must ensure that fundamental rights are respected in data transfer arrangements to the US by private companies. It also limits the ability of the Commission to claim everything is OK and persuade European regulators to look away.
Current CJEU rulings are therefore developing a standard for retained data which requires targeted, proportionate retention, coupled with independent access. This challenges current practice not just with communications data retention, but also the sharing of Passenger Name Records (PNR data). It also has implications for proposed extension of data retention that we might see in the draft Investigatory Powers Bill due to be published this autumn.
Max Schrems said:
“I very much welcome the judgement of the Court, which will hopefully be a milestone when it comes to online privacy. This judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible.
“The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it.
“This decision is a major blow for US global surveillance that heavily relies on private partners. The judgement makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights.
“At the same time this case law will be a milestone for constitutional challenges against similar surveillance conducted by EU member states.”
This is very big news. Safe Harbor is used by most large Internet companies we use every day, but also some other 4,000 less known companies. Safe Harbor is dead and the legal changes take effect immediately, but the practical effects may take some time to reach ordinary citizens.
EU companies and subsidiaries large or small that currently rely on Safe Harbor will be urgently looking for alternative arrangements that allow them to continue transferring data to the US. Options include asking for informed consent, but it will be awkward to ask customers to volunteer to be spied upon by the US government. Smaller changes to the privacy policies of Facebook or Twitter have led to major outcries, although admittedly not to a huge loss of business.
Companies could try to use contracts or other corporate instruments. But these could take time and turn out to be problematic in the medium term because any such arrangements might suffer from the same limitations vis-a-vis US national security that led to the demise of Safe Harbor.
We do not expect any companies sending data to the US to stop doing this overnight, or at any rate on their own initiative, but they could be open to challenge. Customers may soon be asking them what exactly they are doing to comply with the ruling.
Data protection authorities might need to examine individual arrangements, and may well rule that they are as invalid as Safe Harbor. However, any increased protection will rely on EU member states’ data protection oversight arrangement. The UK Government needs to ensure that the Information Commissioner’s Office is sufficiently resourced and capable of protecting our privacy rights.
Everyone will also be waiting for other legal changes to come from elsewhere. The EU machine is in the final stages of a major rewrite of data protection legislation, and the European Commission was already negotiating a new agreement with the US to replace Safe Harbor.
The EU could promote its own cloud and Internet services industry to encourage companies to keep data to stay within Europe’s jurisdiction. This is not a long term solution, but it would provide an incentive for the US to act and help create an international framework that truly guarantees our privacy irrespectively of where our data is located. The CJEU has observed that there are a fundamental lack of protections for EU citizens’ data in the US - so ultimately the US needs to change its laws.