Opinion.

ECJ rejects US Safe Harbor scheme as invalid

06/10/2015

At a glance

A judgment from the European Court of Justice (ECJ), effectively overturning a decision as to the validity of the US Safe Harbor agreement, could have far-reaching consequences for all companies which transfer personal data between the European Economic Area (EEA) and the US.

The ruling is a victory for Austrian activist, Max Schrems, whose breach of privacy claim against Facebook (brought in Ireland, where Facebook’s European headquarters are based) was based on the fact that no protection was afforded to European citizens against US surveillance once their data had been transferred. Ireland’s data regulator initially rejected his case on the basis that the Safe Harbor agreement prevented it from intervening. Schrems appealed and the matter was referred to the ECJ, querying whether the Irish courts could evaluate the adequacy of the Safe Harbor scheme.

In detail

What is Safe Harbor?

European law places a number of important protections on the storage and processing of personal data (data which relates to the identity of a living individual) within the EEA. Furthermore, personal data can only be transferred outside of the EEA to a third country that ensures an adequate level of protection of the data. The Safe Harbor agreement, a set of principles designed to harmonise the different legal frameworks relating to flow of personal data between the EEA and US, was established to allow US companies to satisfy this requirement for the adequate protection of personal data.

ECJ’s Judgment

The ECJ ruled today that the US data storage systems operated by Facebook and other digital operators do not protect customers from state surveillance and declared the US Safe Harbor scheme invalid.

Today’s judgment confirmed the opinion issued by Yves Bot, Advocate General of the ECJ, in September, which concluded that the “mass, indiscriminate surveillance” carried out by the US intelligence services, could not be regarded as ensuring an adequate level of protection and interfered with the fundamental rights of European citizens.

What next?

The immediate outcome of this ruling will require the Irish data regulator to decide whether or not Facebook’s data transfers from the EEA to the US should be suspended. However, the fall-out of this judgment will be far wider.

Many thousands of companies rely on Safe Harbor as a means of legalising transfers of personal data to the US from Europe. Those companies will now need to find an alternative legal framework, such as binding corporate rules (potentially a feasible option for international groups of companies), drawing-up contracts containing the European Commission’s approved “model contract clauses”, or other contractual agreements which set out the relevant US party’s obligations in relation to data protection and privacy. All options could result in a time-consuming administrative exercise for all involved. However, the underlying question will be whether US companies will be able to comply with the terms of such arrangements and protect the personal data of European citizens from state surveillance.

Let’s not forget that companies may also obtain the “explicit and freely given” consent of the data subjects to the transfer of their personal data. This is, however, often seen as practically imperfect in a number of situations (particularly in relation to employees, where it is hard to evidence that the consent is a free choice) and there could be significant implications for relying on such consent if it is challenged as being inadequate in the future.

This judgment will cause virtually all European companies (and those who operate data centres here) to reconsider data transfers to the US. Until a new data-sharing agreement is established with the US (a new Safe Harbor pact has been in negotiation for nearly two years), this is likely to cause considerable headaches for Facebook and other digital operators.

Tim Ryan
Sophia Costley

Contact the authors

Related articles