On Tuesday, October 6, the European Court of Justice in Luxembourg has declared the Safe Harbour Decision invalid. Austrian Maximillian Schrems filed a complaint against Facebook with the Irish supervisory authority after discovering the company had gathered over 1,200 pages of his personal information. In his view leaks from Edward J. Snowden, the former contractor for the National Security Agency, made it clear that American intelligence agencies had almost unfettered access to the data, infringing on Europeans’ rights to privacy.
Safe Harbor negotiations' between the U.S. Department of Commerce and the EU Commission have focused attention on restrictions placed by European data protection law (as privacy law is called in Europe) on the transfer of personal data from the Community to third countries. The Safe Harbor scheme went into effect on November 1, 2000, enabling American tech companies to compile data generated by their European clients in their web searches (Google), social media posts (Facebook, Twitter) and other online activities (products or movies online from E-Bay, Amazon or Apple). Under the deal, more than 4,000 European and American companies had been expected to treat the information moved outside the European Union with the same privacy protections the data had inside the region.
Mr Maximilian Schrems, an Austrian student, whose personal data provided to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed, lodged a complaint against Facebook with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country.
In ECJ Judgment in Case C-362/14 Maximillian Schrems v Data Protection Commissioner the European Court of Justice ruled that legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life. The Court observed that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection. The Court ruled that the existence of a Commission decision (Safe Harbour Decision) finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union. Even if the Commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive.
The Court observed that the safe harbor scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbor scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbor scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.
Finally, the Court finds that the Safe Harbour Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court holds that the Commission did not have competence to restrict the national supervisory authorities’ powers in that way. The European Court of Justice has declared the Safe Harbour Decision invalid.
Frans Timmermans, the first vice president for the European Commission, which will be charged with carrying out the ruling, tried to ease the concerns of companies on Tuesday. He said businesses could still move European data to the United States through other existing treaties. He added that the European Commission would work with national privacy regulators to ensure that the court’s decision was carried out in a uniform fashion across the entire region. The United States government had lobbied aggressively in Brussels in recent months to keep the agreement in place. The United States and the European Union have worked for roughly two years on a new safe harbor agreement. The court’s ruling now puts pressure on negotiators to complete an agreement, but it may also complicate matters. To coordinate the national supervisory authorities of the 28 EU-member states the European Commission should take the lead and show the way in answering the rather political question if the personal data should stay in Europe or under which technical and legal conditions the data continue to be stored in third countries.
A selection of relevant publications from the Peace Palace Library collection
- Benjumea Moreno, J., "Publlisher or technical provider? Monitoring as editorial control and the "safe harbor" of art. 14 E-Commerce Directive", Jura Falconis, 49 (2012-2013), No. 4, pp. 663-683.
- Kuner, C., "Beyond Safe Harbor: European Data Protection Law and Electronic Commerce", The international lawyer, 35 (2001), No.1, pp. 79-88.
- Tourkochoriti, I., "The Transatlantic Flow of Data and the National Security Exception in the European Data Privacy Regulation: In Search for Legal Protection Against Surveillance", University of Pennsylvania Journal of International Law, 36 (2014), No. 2, pp. 459-524.