Sergey Nivens - Fotolia

Max Schrems welcomes ECJ ruling that Safe Harbour is invalid

The European Court of Justice declares the Safe Harbour framework invalid as a mechanism to legitimise transfers of personal data from the EU to the US

Austrian privacy activist Max Schrems has welcomed the ruling by the European Court of Justice (ECJ) that EU data protection authorities are not bound by the Safe Harbour agreement.

The Safe Harbour agreement provides a means for US companies to transfer personal data from the EU to the US that meets EU data protection requirements.

But the ECJ declared the Safe Harbour framework invalid as a mechanism to legitimise transfers of personal data from the EU to the US.

The court’s view is that Safe Harbour is unable to prevent large-scale access by the US intelligence authorities to data transferred from Europe, and therefore does not provide an adequate level of data protection.

The ECJ ruling means that individual European countries can now set their own regulation for US companies’ handling of citizens’ data

The case was originally brought against Facebook and Ireland’s Data Protection Commissioner, but the data protection authority rejected the case, claiming it was bound by the Safe Harbour agreement.

Schrems subsequently appealed to the high court in Dublin, which referred the case to the ECJ for a ruling on whether the watchdog was bound by the Safe Harbour agreement.

Personal data safeguards

Schrems began the case before Snowden alleged that the US National Security Agency (NSA) was routinely intercepting data from emails, social media and telephones.

His initial complaint was to Facebook, whose European headquarters are in Dublin, over what was happening to his personal records. But Snowden’s allegations led Schrems to apply for an audit of the data Facebook was passing to the NSA.

The European Court of Justice ruling means individual European countries can now set their own regulation for US companies’ handling of citizens’ data

When the application was dismissed, Schrems went to the high court in Dublin. He argued that, when Facebook collects user data and exports it to the US under Safe Harbour rules, it is giving the NSA the opportunity to use the data for mass surveillance.

Referring the case to the ECJ, judge Gerard Hogan said evidence suggested that personal data was routinely accessed on a “mass and undifferentiated basis” by the NSA.

He said Facebook users should have their privacy respected under the Irish constitution, and that for such interception of communications to be constitutionally valid, it would be necessary to demonstrate that it was justified in the interests of the suppression of crime and national security, and was attended by the appropriate and verifiable safeguards.

Schrems was calling for the Safe Harbour agreement to be scrapped and for the Dublin Data Protection Commissioner’s (DPC) office to audit the exchange of personal data with US security agencies.

A milestone in online privacy

Reacting to the ECJ’s judgement, Schrems said he hopes that it will become a milestone in online privacy. “This judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible,” he said in a statement.

According to Schrems, the decision also highlights that governments and businesses cannot simply ignore people’s fundamental right to privacy, but must abide by the law and enforce it.

“This decision is a major blow for US global surveillance that relies heavily on private partners. The judgement makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights,” he said.

Schrems said the judgement means that national data protection authorities can review data transfers to the US in each individual case, while the Safe Harbour agreement allowed for a blanket allowance. However, he said that despite some alarmist comments, he does not expect to see major disruptions in practice.

Schrems said the judgement is also a victory against the Irish DPC, who has maintained that this case should not be dealt with because it was “frivolous”.

“The Irish DPC has a clear duty to do its job and protect our privacy under EU and Irish law,” he said.

Changes to the law

According to Schrems, the European Commission and the US government may be able to remedy the situation. “It’s clear from the judgement that a solution will very likely require severe changes in US law and more than just an update to the current Safe Harbour system. Otherwise, full compliance with EU fundamental rights and the judgement will be very hard to achieve,” he said.

While the average consumer will not see any restrictions in daily use, Schrems said they will hopefully soon be able to use online services without potentially being subject to mass surveillance.

However, he said US companies that obviously aided US mass surveillance, such as Apple, Google, Facebook, Microsoft and Yahoo, may face serious legal consequences from this ruling when data protection authorities of 28 member states review their co-operation with US spy agencies.

Today’s (6 October 2015) ruling could have a significant impact on all EU-US data transfer mechanisms as it is likely that other legal tools, beyond Safe Harbour, which organisations rely on to transfer personal data from the EU to the US will come in for scrutiny too, said Marc Dautlich, information law partner at legal firm Pinsent Masons.

“That prospect creates uncertainty for businesses that, until now, will have believed the data transfer arrangements they have in place meet the standards required by EU law,” he said.

Dautlich said currently businesses can adopt “model clauses” which help them to meet the adequacy standards of EU data protection laws when transferring personal data outside of the EU. Companies can also implement “binding corporate rules” (BCRs) for intra-group data transfers around the world.

“Both the model clauses and BCRs frameworks could now come in for scrutiny for similar reasons to those highlighted in relation to the Safe Harbour regime,” he said.

Eduardo Ustaran, partner and European head of data protection at law firm Hogan Lovells, said the ruling has “massive implications” for international data flows.

“It effectively leaves any organisation that relied upon Safe Harbour exposed to claims that transfers of personal data from the EU to the US are unlawful, unless they fit within one of the legal exemptions or are authorised by data protection authorities.

“Multinationals relying on Safe Harbour to transfer data from Europe across the Atlantic will need to rethink how they operate. US-based businesses certified under Safe Harbour to receive data from European customers will need to provide alternative guarantees for those customers to be able to engage their services lawfully,” he said.

Negative aspects of ECJ ruling

In its initial reaction to the ruling, however, BSA | The Software Alliance said it was “very disappointed” by the ECJ’s decision.

“We are studying the details of the decision, but are very concerned that this decision will have a negative impact not just on providers of data services but will also be harmful to consumers of those services,” said Thomas Boué, director of policy for Europe at BSA.

Businesses will be looking to the European Commission and national data protection authorities to provide clarity on what they need to do to ensure their transatlantic data transfers are lawful
Antony Walker, techUK

“Today’s decision further underscores the importance of ongoing negotiations to craft a renewed and strengthened framework. BSA members are committed to fully protecting their customers’ personal data, and the Safe Harbour agreement is extremely important to ensuring European citizens have full access to the range of data services now transforming the European economy,” he added.

Antony Walker, deputy CEO at techUK, said the ruling is “hugely significant” and will cause real confusion and uncertainty for all sorts of businesses that need to transfer data between the EU and US.

“Businesses will be looking to the European Commission and national data protection authorities to steady the ship and provide clarity on what they need to do to ensure their transatlantic data transfers are lawful.

“This is a big issue for many small businesses, in particular, which will be faced with the time-consuming and costly task of working through the full legal implications. The ability to transfer data lawfully across borders is fundamental for a growing and dynamic digital economy. Businesses need stability and certainty in the legal framework that enables this to happen,” he said.

Andy Hardy, managing director for Europe at data protection firm Code42, described the ruling invalidating Safe Harbour as “seismic”, affecting businesses of all sizes.

“But it need not be the end of business as we know it in terms of data handling. What businesses need to do now is safeguard data,” he said.

According to Hardy, businesses must ensure they can keep company and customer data private, even when backed up into a public cloud. 

“The right technology will ensure data it is encrypted before it leaves the endpoint device, so that it cannot be decrypted in the cloud and hence remains private. The best technologies will ensure that encryption keys are kept by our customers on-premise, so only they can decrypt the data and that no one else can access it unless with prior direct request. This is the only way to ensure privacy in the public cloud post-Safe Harbour,” he said.

Read more about Max Schrems versus Facebook

Read more on Privacy and data protection