ECJ Bombs the Safe Harbor

Contributor: William A. Carter

What Happened

Today the European Court of Justice (ECJ) invalidated the ‘Safe Harbor’ agreement. This agreement allowed the European Commission (EC) to designate individual U.S. companies as having ‘adequate’ privacy protections in place despite the fact that the U.S., as a country, does not have “adequate” protections under EU law.

The ECJ ruled in favor of Max Schrems, an Austrian citizen who submitted a complaint to Irish regulators against Facebook after the Snowden revelations in 2013. Schrems argued that, by transferring his data to the U.S. in the course of normal operations, Facebook was violating his right to privacy by exposing him to indiscriminate surveillance by U.S. authorities under the NSA’s PRISM program. The Irish data protection authority rejected his complaint, arguing that Facebook’s data transfers were protected by the ‘Safe Harbor.’ The case was then escalated to the Irish High Court, who referred the case to the ECJ. 

In today’s decision, the ECJ ruled that the ‘Safe Harbor’ undermined the Irish data regulator’s authority to protect its citizens’ privacy. The Court determined that even if the EC decided that a company’s protections were “adequate,” national authorities can assess those protections “with complete independence.” As a result, the Court ordered national privacy authorities in each of the 28 EU member states to determine whether data transfers to the U.S. “should be suspended on the ground that that country does not afford an adequate level of protection of personal data.”

The ECJ decision does not immediately or permanently cut off data flows to the U.S., but the ruling raises significant questions about the legality of data transfers to the U.S. The Court noted that “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.” Although this argument could open the door to future regulatory actions against companies that transfer data to the U.S., U.S. policymakers will likely cite the prohibitions on bulk data collection under the USA Freedom Act as evidence that the U.S. has reformed its surveillance policies.

What does this mean for U.S. companies?

Despite its condemnation of U.S. surveillance practices, the ECJ did not rule that U.S. companies cannot transfer data outside of the EU. The ruling invalidated the ‘Safe Harbor’ status conferred by the EC, meaning that companies will now face scrutiny from national data protection regulators in each of the 28 EU member nations individually instead of once at the EU level.

Some EU nations have reacted more strongly than others to the Snowden leaks. Germany and France, in particular, have strongly condemned NSA surveillance and called for additional protections for EU citizens’ data. In contrast, Ireland and the UK have been more supportive of the ‘Safe Harbor,’ and many U.S. tech companies have set up data centers and regional headquarters in Ireland.

There are other ways that companies can transfer data to the U.S., although they are more difficult to implement than the ‘Safe Harbor.” Companies can acquire “explicit and freely given” consent from the data subject, although “freely given” is interpreted very narrowly, excluding situations where there is implicit or explicit pressure on the subject to approve the transfer. Companies can also build ‘model clauses’ into contracts, which are pre-approved by data protection regulators to allow for the international transfer of data. Finally, for transfers of data within a multinational company, the company can adopt Binding Corporate Rules (BCRs), which restrict how it uses and protects personal data.

Impact on the Digital Single Market

The ECJ’s ruling seems to undermine the premise of the Digital Single Market (DSM) initiative. The DSM is an effort by the EU to reduce barriers to cross-border digital commerce. EU President Jean-Claude Juncker launched the initiative in 2015, promising to deliver more than EUR 250bn in additional growth through a series of ambitious legislative proposals to harmonize and centralize regulatory authority at the EU level. “To do so, we will need to have the courage to break down national silos in telecoms regulation, in copyright and data protection legislation, in the management of radio waves and in the application of competition law.”

Today’s ruling runs contrary to the premise of the DSM. The ECJ’s main finding was that an EC decision “cannot eliminate or even reduce the powers available to the national supervisory authorities” to regulate personal data protection. The ECJ essentially ruled in favor of national silos in data protection over an EU-wide authority.

The Irony of “Adequacy”

The irony of this decision is that many EU countries, and many countries deemed to have “adequate” privacy protections under EU law, have extensive electronic surveillance operations of their own. In fact, the United Kingdom, which is a part of the EU, and Canada, whose data protections were deemed “adequate” by the EC in 2001, participated in the U.S. electronic surveillance programs as part of the “Five Eyes” alliance on signals intelligence.

In May, France passed one of the most intrusive surveillance laws in the world, which requires internet service providers (ISPs) to install “black boxes” in their networks that collect and analyze metadata on millions of internet users. They are also required to furnish access to this data to intelligence and law enforcement agencies. The law also allows French authorities to monitor phone calls and emails, plant bugs, and install keyloggers to monitor suspected terrorists without a court order.

Germany, one of the most vocal critics of NSA surveillance, also has an extensive surveillance apparatus. Germany’s foreign intelligence service, the BND, meets regularly with their NSA counterparts to share intelligence, and is equipped with the NSA computer systems which are used to monitor global internet traffic. According to Der Spiegel, classified NSA documents revealed that in these meetings, BND authorities told their NSA counterparts that they had been “working to influence the German government to relax interpretation of the privacy laws to provide greater opportunities of intelligence sharing.”

Today’s decision represents a pyrrhic victory for privacy advocates in the EU. Preventing the transfer of personal data to the U.S. will likely have little effect on the NSA’s ability to surveil European citizens, but it could impede legitimate data transfers by more than 4,500 U.S. companies that are part of the ‘Safe Harbor.’ Disrupting international data transfers could have dramatic effects on businesses including tech companies, retailers and airlines. And even if, as Max Schrems claims, “the judgment makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights,” it does nothing to protect the rights of European citizens from digital espionage by their own governments.