European Court of Justice has declared Safe Harbor invalid

On 6 October 2015 the European Court of Justice issued a judgement in favour of a private individual Mr Schrems, against Facebook, declaring as inadequate the protection provided by the US safe harbour privacy principles. The case has been referred back to the Irish Court, where the complaint began.

In the complaint against Facebook to data regulators in Ireland, where Facebook has its European base, Mr Schrems argued that letting so much data flow to the US has exposed Europeans to American spying. By backing that claim, the European Court of Justice has removed the conduit  that thousands of companies relied on for the Treaty’s protection to send information wholesale to the US, and left them scratching their heads to find a new legal foundation for their handling of cross-border data shipments.

To remind ourselves of the origins of safe harbor – the European Commission’s Directive on Data Protection went into effect in October 1998, and would prohibit the transfer of personal data to non-European Union countries that did not meet the EU “adequacy” standard for privacy protection. While the United States and the EU share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the EU.

In order to bridge these differences in approach and provide a streamlined means for US organizations to comply with the Directive, the US Department of Commerce in consultation with the European Commission developed a “safe harbor” framework and this website to provide the information an organization would need to evaluate – and then join – the US-EU Safe Harbor program

The ECJ decision creates significant uncertainty for organisations who rely on safe harbor either for their own internal data transfers, or because they use a service provider which, in turn, relies on safe harbor to provide adequacy for its transfers to the US.  Alternative methods of addressing data transfers will be needed – such as implementing EU Commission approved data transfer agreements, or obtaining individual consent.

Although the decision has invalidated safe harbor – with immediate effect – organisations need to look to the reactions of national data protection authorities to determine how urgently to implement alternative data transfer solutions. For example, the UK Information Commissioner has issued a measured press release noting that whilst alternative approaches will be needed, that they will be taking time to assess the situation. This will include liaising with other EU data protection authorities.

The US Department of Commerce says they will continue to administer the safe harbor program, including processing submissions for self-certification to the Safe Harbor Framework.

Exactly how hard the ECJ’s decision bites will depend a lot on the political fallout from the case. It comes after months of transatlantic prevarication, with the US and EU gridlocked in talks over how to tighten Safe Harbor to meet European concerns. The European Commission’s demands are brief, filling less than a single side of A4 paper. What Brussels wants is simple but difficult to give: guarantees about when and how US intelligence agencies are able to examine data from EU citizens.

If the court ruling makes it more difficult to reach a new one, then Mr Schrems will have gone a long way to resetting digital relations across the Atlantic. The tech industry in particular waits for the outcome.

Tom Redfern