The Court of Justice of the EU (CJEU) has declared that the "Safe Harbor" framework agreement cannot be relied upon to justify transfers of personal data from the EU to the US.
Safe Harbor is an agreement between the US and the EU designed to create a streamlined way to transfer personal data from Europe to US firms in accordance with European data protection rules. These rules allow such transfers only where there is "adequate" protection for the privacy of European data subjects. Safe Harbor is a simple, widely used way to let US firms self-certify their compliance with these rules, which might otherwise require those firms to enter into more complex contractual arrangements. Over 4,000 US companies are currently Safe Harbor self-certified.
This case arose from a complaint to the Irish Data Protection Commissioner by Austrian student, Max Schrems. Schrems has been a Facebook user since 2008 (through its European subsidiary, Facebook Ireland). For many years, Facebook Ireland has relied on Safe Harbor to justify the routine transfers of some, or all, of the personal data of Facebook's European users to the US (for processing by Facebook Inc).
Schrems' complaint arose in light of Edward Snowden's revelations about the secret data collection activities of the US National Security Agency (NSA). Schrems complained to the Commissioner that the practice of mass, indiscriminate surveillance in force in the US meant that the US did not provide "adequate" protections for the privacy of European data subjects. The Commissioner rejected the complaint on the grounds that it was bound by the Safe Harbor principles, under which the European Commission had decided that the US did meet this standard. The Commissioner also rejected Schrems assertion that it must do further checks on Facebook to ensure that adequate measures were in place.
The CJEU rejected the Commissioner's position, and found that the Safe Harbor process was invalid. The CJEU found that it did not provide adequate protection because the US laws which could overrule the Safe Harbor principles went beyond what was strictly necessary and proportionate to protect the US's national security, and left the European data subject without effective legal protection. The CJEU also found that nothing should prevent a national data protection authority from examining claims concerning such data transfers.
Following the decision, the matter will go back to the Irish Commissioner, who will have to decide whether Facebook passes the adequacy test.
Impact of the decision
It would be easy to be alarmist at this stage. Although Safe Harbor in its current form is no longer a viable option, the ICO has already acknowledged that companies relying on Safe Harbor will need time to review their data transfers to the US in order to ensure that they comply with the law.
The decision does not prevent transfers of personal data transfers between the US and EU; other ways to ensure "adequate" protection remain, such as model contractual clauses, binding corporate rules, consents, etc. Arguably, the decision does also raise questions about these methods in that no contract between parties can adequately protect a data subject if the US (or any state) chooses to 'overreach' in a manner that is contrary to European ideals of privacy. European data protection regulators will have to address this issue directly, as a matter of urgency.
Privacy campaigners such as Schrems and Snowden have welcomed the decision, while global businesses such as IBM have criticised it. IBM has despaired of a "highly uncoordinated approach to Internet regulation… creating significant commercial uncertainty".
Talks are underway about "Safe Harbor 2", although the added political heat that this decision brings may well add to the already considerable delays in getting this agreed.
In the vacuum created by the decision, each data protection regulator could potentially set its own standards for US transfers, which would further complicate the regulatory landscape in Europe. However, any suggestion that this may result in countries suspending data transfers to the US seems unlikely in the short term, especially since the US is already in the process of enacting some legislation to curb the perceived excesses of the NSA.