On Tuesday, October 6, the European Court of Justice in Luxembourg has declared the Safe Harbour Decision invalid. Austrian Maximillian Schrems filed a complaint against Facebook with the Irish supervisory authority after discovering the company had gathered over 1,200 pages of his personal information. In his view leaks from Edward J. Snowden, the former contractor for the National Security Agency, made it clear that American intelligence agencies had almost unfettered access to the data, infringing on Europeans’ rights to privacy.

Safe Harbor negotiations' between the U.S. Department of Commerce and the EU Commission have focused attention on restrictions placed by European data protection law (as privacy law is called in Europe) on the transfer of personal data from the Community to third countries. The Safe Harbor scheme went into effect on November 1, 2000, enabling American tech companies to compile data generated by their European clients in their web searches (Google), social media posts (Facebook, Twitter) and other online activities (products or movies online from E-Bay, Amazon or Apple). Under the deal, more than 4,000 European and American companies had been expected to treat the information moved outside the European Union with the same privacy protections the data had inside the region.

The safe-harbor provisions were the biggest innovation from the Digital Millennium Copyright Act (DMCA) in the USA; they provide liability limitations to internet intermediaries provided they fulfilled certain conditions in the field of consumer protection. The same provisions on safe-harbor were adopted by the European legislator in the E-Commerce Directive in order to encourage the internet services (hosting service providers)  by harmonizing fundamental aspects, like the guarantee of the fundamental right of privacy.
Harmonization of the internal market on the field of electronic commerce would give European firms the opportunity to compete with the big internet companies from the USA. With the growing importance of electronic commerce in Europe, the importance of European data protection rules for any company interested in doing business in Europe or dealing with European customers can only increase. In a decision of 26 July 2000 the European Commission considered that, under the ‘safe harbor’ scheme, the United States ensures an adequate level of protection of the personal data transferred (the 'Safe Harbour Decision').
The Data Protection Directive provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data. EU data protection law requires that processing be strictly limited to the purpose originally notified to the data subject and therefore that processing of personal data must be restricted to the minimum amount necessary (principle of data minimization). France and Germany, where companies like Facebook and Google have huge numbers of users and have already been subject to other privacy rulings, are among the countries that have sought more aggressive protections for their citizens’ personal data. Britain and Ireland, among others, have been supportive of Safe Harbor, and many large American tech companies have set up overseas headquarters in Ireland.

Mr Maximilian Schrems, an Austrian student, whose personal data provided to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed, lodged a complaint against Facebook with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country.

In ECJ Judgment in Case C-362/14 Maximillian Schrems v Data Protection Commissioner the European Court of Justice ruled that legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life. The Court observed that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection. The Court ruled that the existence of a Commission decision (Safe Harbour Decision) finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union. Even if the Commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive.BlogSafeHarbor

The Court observed that the safe harbor scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbor scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbor scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.

Finally, the Court finds that the Safe Harbour Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court holds that the Commission did not have competence to restrict the national supervisory authorities’ powers in that way. The European Court of Justice has declared the Safe Harbour Decision invalid.

Frans Timmermans, the first vice president for the European Commission, which will be charged with carrying out the ruling, tried to ease the concerns of companies on Tuesday. He said businesses could still move European data to the United States through other existing treaties. He added that the European Commission would work with national privacy regulators to ensure that the court’s decision was carried out in a uniform fashion across the entire region. The United States government had lobbied aggressively in Brussels in recent months to keep the agreement in place. The United States and the European Union have worked for roughly two years on a new safe harbor agreement. The court’s ruling now puts pressure on negotiators to complete an agreement, but it may also complicate matters. To coordinate the national supervisory authorities of the 28 EU-member states the European Commission should take the lead and show the way in answering the rather political question if the personal data should stay in Europe or under which technical and legal conditions the data continue to be stored in third countries.

[number of readers: 767]

Librarian's choice

A selection of relevant publications from the Peace Palace Library collection

Leave a Reply

Your email address will not be published. Required fields are marked *