Maximillian Schrems v. Data Protection Commissioner, C‐362/14 (Court of Justice of the European Union Oct. 2015)
In what some are calling a victory against NSA surveillance, the Court of Justice of the European Union (“CJEU”) invalidated a key part of the current transatlantic “Safe Harbor” agreement between the United States and the European Union earlier this month. The case began in 2013 when privacy activist Maximillian Schrems filed a complaint against Facebook with the Irish Data Protection Commissioner, alleging based on evidence disclosed by then-NSA contractor Edward Snowden that American companies were not adequately protecting Europeans’ data from government snooping. Although Schrems’ complaint was initially rejected by the Irish data authority, the High Court of Ireland eventually referred the case to the top court in the European Union, which handed down the unexpected decision on October 6, 2015.
The CJEU held in Schrems v. Data Protection Commissioner that the privacy principles adopted under U.S.-E.U. Safe Harbor agreement violate the 1995 European Data Protection Directive, which provides a level of baseline protections to safeguard the privacy of all European citizens’ data. Since 2000, the Safe Harbor arrangement has allowed American companies to process the personal data of European citizens by self-certifying to the U.S. Department of Commerce that they adhered to certain guidelines and principles, including notice, choice, access, security, data integrity, and enforcement. Over 4,000 American technology companies rely on the Safe Harbor framework to operate in Europe without violating the continent’s privacy laws. Without it, those companies may not be able to send data from their European users back to the United States, a prohibition that could be incredibly costly.
Privacy advocates like the Electronic Frontier Foundation and New America’s Open Technology Institute have characterized the decision as a clear signal that further reform of the National Security Agency’s surveillance programs is needed. NSA whisteblower Edward Snowden even told Schrems he had “changed the world for the better” via Twitter. But many have also expressed concern about the economic ramifications that American technology companies will experience unless and until the United States successfully negotiates a new Safe Harbor agreement with the E.U. As U.S. Secretary of Commerce Penny Pritzker noted in a press release following the ruling, the decision “creates significant uncertainty for both U.S. and E.U. companies and consumers, and puts at risk the thriving transatlantic digital economy.” Just Security provides a nuanced overview of the ruling and its implications.