The European Court of Justice (ECJ) has struck down the 15-year-old “Safe Harbor” agreement that permitted companies operating in Europe to transmit personal user data to the United States, as long as the U.S. ensures an adequate level of data protection at the company and certifies that it will abide by seven EU data privacy principles regarding notice, choice, onward transfer, security, data integrity, access, and enforcement. The case, entitled Maximillian Schrems v. Data Protection Commissioner, was decided on October 6, 2015 and has an immediate effect on European courts. See here.

According to the ECJ, the trans-Atlantic data-sharing pact, which had been enforced by the Federal Trade Commission in the U.S., does not provide adequate protection for Europeans’ private data under EU law in light of the revelations by former American intelligence contractor Edward Snowden concerning the U.S. government’s mass data collection and “PRISM” surveillance program. More than 4,000 companies, including Apple and Amazon, had relied on the “Safe Harbor” agreement.

The ECJ cited two key reasons for invalidating the July 2000 European Commission decision 2000/520/EC, which legally permitted data to be transferred to U.S. companies in accordance with the Safe Harbor provisions:

  • First, the ECJ opinion stated, the Safe Harbor framework made it too difficult for national privacy officials in the European Economic Area to intervene and ensure the security of Europeans’ private data, undermining member states’ independence. “In particular, legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life,” the ECJ decision noted; and
  • Second, the ECJ found that Commission Decision 2000/520/EC of July 26, 2000 as to the adequacy of the Safe Harbor is invalid and that the Safe Harbor framework did not ensure the data was adequately protected under Safe Harbor principles because private data was shared with outside governmental agencies for security purposes. The ECJ noted that the Commission admitted that data was transferred to agencies unnecessarily in some cases. The ECJ also ruled that the framework failed to provide an individual the right to “pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data” and that this was contrary to EU privacy law.

The Court’s decision holds that a decision by the European Commission on the adequacy of data protection offered by a non-EU member state, such as the United States, cannot “eliminate or even reduce” the powers of national regulatory authorities to investigate complaints concerning data privacy. As a result, companies that previously depended upon the protection afforded by the Safe Harbor Agreement now face scrutiny by privacy regulators at each EU member state.

Additionally, the ECJ observed that data protection authorities themselves cannot invalidate an EC Commission decision. However, privacy authorities and data subjects may refer questions regarding the validity of EC Commission decisions to national courts, which ultimately may refer the questions to the ECJ.

The ECJ ruling followed a nonbinding, more wide-ranging opinion on September 23, 2015 by Yves Bot, the Advocate General at the European Court of Justice, that the Safe Harbor Agreement was invalid: “Because the surveillance carried out by the U.S. is mass, indiscriminate surveillance . . . in those circumstances, a third country cannot in any event be regarded as ensuring an adequate level of protection.”

The case resulted from a complaint by 28-year-old Austrian privacy activist Max Schrems to the Irish Data Protection Commissioner. Schrems alleged that Facebook had improperly transferred personal user data to the United States and sought an investigation into whether Facebook was adequately protecting user data transferred overseas.

The Irish Commissioner rejected the complaint, citing the Commission’s Safe Harbor decision. The Irish High Court (which is not the highest court in the country) then reviewed the case and requested a preliminary ruling from the ECJ on the issue of whether the Irish Commissioner was bound by the Safe Harbor provision.

As a result of the ECJ’s ruling, Irish officials will now review whether Facebook afforded users like Schrems adequate privacy protections. The country could potentially prohibit Facebook from transmitting user data to the United States. European officials stressed that there are other mechanisms that currently permit the flow of personal information to the U.S. from Europe, such as Binding Corporate Rules (BCRs).

In a statement, the FTC said that “We are reviewing the European Court of Justice’s opinion and evaluating its implications.” The agency promised that it “will continue to work together with our European colleagues to develop effective solutions that protect consumer privacy with respect to cross-border data transfers.”

The Sheppard Mullin “Eye on Privacy” blog has provides a helpful analysis of the options available to companies that had relied exclusively on the Safe Harbor in its blog entry “US Safe Harbor Regime Invalidated by Europe’s Highest Court.”