In a landmark decision issued yesterday, the European Court of Justice -- the highest court in the European Union -- struck down the "Safe Harbor" data transfer agreement between the EU and the United States. Since 2000, thousands of companies have relied on Safe Harbor to transfer personal data from the EU to the U.S. The Court's decision in Maximilian Schrems v. Data Protection Commissioner (Case C-362/14) has wide-reaching implications for companies and organizations using Safe Harbor as a basis for their data transfer to the United States.
EU-US Safe Harbor Framework
Historically, the U.S. and EU have taken different approaches to privacy and data protection. In addition to a patchwork of various state laws on the topic, the U.S. utilizes a sectoral approach, relying on a series of industry- specific legislation, as well as regulatory enforcement by various federal agencies. The EU, on the other hand, has implemented comprehensive legislation that is applicable across the EU, regardless of the particular industry or entity. The EU's comprehensive privacy legislation, Directive 95/46/EC (the "EU Data Protection Directive"), which became effective on Oct. 25, 1998, prohibits the transfer of personal data outside of the EU unless there is an "adequate level of protection of the data."
In 2000, in response to the EU Data Protection Directive, the EU and the U.S. negotiated a "Safe Harbor" agreement that allowed companies to transfer data between the EU and the U.S. by self-certifying that the company's personal data practices adhered to seven "principles" of Safe Harbor: notice, choice, onward transfer, security, data integrity, access and enforcement. Under Safe Harbor, companies were free to transfer personal data from the EU to U.S.- based computer servers without running afoul of the EU Data Protection Directive and European privacy laws.
For the past few years, the EU and the U.S. have been negotiating amendments to Safe Harbor, but the amendments have yet to be finalized.
The Court's Decision
The European Court of Justice's Schrems ruling issued yesterday stemmed from a lawsuit filed by Max Schrems, an Austrian law student, who argued that the Irish Data Protection Commissioner failed to protect him from mass surveillance by the U.S. National Security Agency (NSA). Schrems argued that, since Facebook stores most of its customer data in the U.S. and transfers personal data to the NSA as part of the NSA's "PRISM" program, his personal data was not sufficiently protected under the EU Data Protection Directive. The Court of Justice was asked to rule on whether national data privacy regulators could unilaterally suspend the Safe Harbor framework.
The Court of Justice expressed two primary concerns with the Safe Harbor framework. The first concern addressed U.S. mass surveillance efforts. As the Court explained, "national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements." The Court also wrote that "[l]egislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life." The Court further noted that there did not appear to be "rules intended to limit any such interference or to the existence of effective legal protection against the interference."
The Court next focused on the lack of legal redress available to individuals affected by violations of Safe Harbor. The Court noted that Safe Harbor failed to provide "any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data" and that such failure "compromises the essence of the fundamental right to effective judicial protection."
Ultimately, the Court ruled that Safe Harbor could not usurp the right of each EU member state's data protection authority to examine whether a transfer of data complies with EU privacy rules. The Court stated that it was now up to the Irish data protection authority to decide whether to suspend the transfer of data from Facebook's European subscribers to the U.S.
The European Court of Justice's ruling in Schrems threatens to disrupt the more than 4,000 European and American companies certified under Safe Harbor, as well as numerous existing business arrangements between the EU and the U.S., including trade in advertising, cloud services and myriad other fields. In practical terms, 28 different EU data protection agencies may now need to weigh in on the legality of a company's data transfer outside of the EU. Unless companies are able to obtain the “explicit and free given” consent of the individuals concerned to the transfer of their personal data to the U.S., the decision will likely lead to an increase in data being hosted and stored on European servers, and revisions to corporate data transfer contracts and other agreements. Although time- consuming, multinational companies may also consider abiding by model contract clauses on a case by case basis or adopting Binding Corporate Rules for intragroup transfers, which require approval by the relevant data protection authorities. While the full extent of the impact of yesterday's ruling has yet to be ascertained, the decision highlights some of the fundamental conflicts between EU and U.S. privacy and data protection laws, and will no doubt put pressure on the ongoing negotiations between the EU and the U.S. on personal data protection.