European Court of Justice Invalidates Key Part of U.S.-E.U. “Safe Harbor” Agreement

Privacy Internet International Regulation

Maximillian Schrems v. Data Protection Commissioner, C‐362/14 (Court of Justice of the European Union Oct. 2015)

In what some are calling a victory against NSA surveillance, the Court of Justice of the European Union (“CJEU”) invalidated a key part of the current transatlantic “Safe Harbor” agreement between the United States and the European Union earlier this month. The case began in 2013 when privacy activist Maximillian Schrems filed a complaint against Facebook with the Irish Data Protection Commissioner, alleging based on evidence disclosed by then-NSA contractor Edward Snowden that American companies were not adequately protecting Europeans’ data from government snooping. Although Schrems’ complaint was initially rejected by the Irish data authority, the High Court of Ireland eventually referred the case to the top court in the European Union, which handed down the unexpected decision on October 6, 2015.

The CJEU held in Schrems v. Data Protection Commissioner that the privacy principles adopted under U.S.-E.U. Safe Harbor agreement violate the 1995 European Data Protection Directive, which provides a level of baseline protections to safeguard the privacy of all European citizens’ data. Since 2000, the Safe Harbor arrangement has allowed American companies to process the personal data of European citizens by self-certifying to the U.S. Department of Commerce that they adhered to certain guidelines and principles, including notice, choice, access, security, data integrity, and enforcement. Over 4,000 American technology companies rely on the Safe Harbor framework to operate in Europe without violating the continent’s privacy laws. Without it, those companies may not be able to send data from their European users back to the United States, a prohibition that could be incredibly costly.

Privacy advocates like the Electronic Frontier Foundation and New America’s Open Technology Institute have characterized the decision as a clear signal that further reform of the National Security Agency’s surveillance programs is needed. NSA whisteblower Edward Snowden even told Schrems he had “changed the world for the better” via Twitter. But many have also expressed concern about the economic ramifications that American technology companies will experience unless and until the United States successfully negotiates a new Safe Harbor agreement with the E.U. As U.S. Secretary of Commerce Penny Pritzker noted in a press release following the ruling, the decision “creates significant uncertainty for both U.S. and E.U. companies and consumers, and puts at risk the thriving transatlantic digital economy.” Just Security provides a nuanced overview of the ruling and its implications.

The decision comes during a period of heightened transatlantic tension over data protection issues. Although the Safe Harbor framework was developed in consultation with E.U. experts and has been in place for over a decade, European officials have become increasingly concerned that it makes it easier for American technology companies to avoid adherence to the E.U.’s stricter privacy protections — concerns which escalated significantly after the Snowden disclosures revealed the extent of certain NSA programs’ reliance on data from American companies. In March 2014, for example, members of the European Parliament voted in favor of a resolution on the mass surveillance of E.U. citizens, which, among other things, called for the suspension of the Safe Harbor agreement.

In its opinion, the court did not actually address whether the Safe Harbor framework itself provides the level of data protection guaranteed by the E.U. The court focused instead on the validity of a 2000 European Commission decision that determined that the “Safe Harbor Privacy Principles” adopted by the United States met more stringent E.U. privacy standards. Because the American national security and law enforcement interests take priority over the Safe Harbor agreement, however, the court reasoned that that “United States organisations receiving personal data from the European Union are bound to disregard those principles without limitation where they conflict with [national security and law enforcement] requirements.” As a result, the court found that the agreement enables public authorities in the United States to interfere with the fundamental rights of European citizens.

Importantly, and contrary to some early reports, the decision does not invalidate the entire Safe Harbor framework. Rather, it says that the Irish Data Protection Commissioner — along with other national regulators in the E.U. — is not bound to adhere to the 2000 finding of the European Commission, and can investigate for itself whether transferring data from Facebook Ireland to its U.S. parent company provides adequate privacy protections.

The ruling could have a significant impact on the way American companies can store and transfer data on European citizens. In addition to potentially stricter privacy requirements, American companies may have to navigate more than 20 different policies adopted by European member states, rather than a single E.U.-wide policy. In the meantime, U.S. and E.U. officials are continuing ongoing negotiations over the so-called “Safe Harbor 2.0,” which would create a more privacy-protective transatlantic agreement. The ruling has also prompted renewed calls for further surveillance reform in the United States.

Danielle Kehl is a fellow at New America’s Open Technology Institute and a 1L at Harvard Law School.