EU's Top Court Rules Against "Safe Harbour" Pact
The European Court of Justice (ECJ) has found that a European Commission decision adopting a bilateral pact between the EU and the US on data transfer to be invalid, in a move that is expected to impact the way thousands of technology companies operate and potentially affect the Transatlantic Trade and Investment Partnership (TTIP) negotiations.
Specifically at issue in the case is the “Safe Harbour” framework, a 15-year old set of principles between the US and EU regarding personal data protection. The framework was established as a way to resolve differences between the two sides in this area, given the EU’s adoption in 1998 of its Directive on Data Protection, which prohibits data transfers from the EU to non-EU countries should the latter not meet an “adequate” standard of protection.
The EU’s highest court began reviewing the legality of the Commission’s decision adopting the framework following a complaint by Max Schrems, an Austrian national who had filed a claim with the Irish Data Protection Commissioner arguing that US laws and practices do not afford data transferred from the EU to the US with the appropriate protection against surveillance by public authorities.
Under the Safe Harbour framework, Facebook’s Irish subsidiary transfers data related to EU subscribers to US-based servers for processing. Schrems, who is a member of Facebook, specifically cited the revelations made by Edward Snowden two years ago regarding the operations of the US’ National Security Agency (NSA) – where Snowden had worked as a government contractor – as reason for his concern.
The Irish Data Protection Commissioner had rejected Schrems’ claim, arguing that the Safe Harbour framework means that the US does provide the needed protection for such data.
The case was then brought to Ireland’s High Court, in order to determine whether the European Commission’s decision in 2000 adopting Safe Harbour means that national supervisory authorities cannot examine cases questioning the protection of such data and potentially suspend these transfers if needed.
The Irish High Court in turn asked that the ECJ consider whether the Commission decision effectively prevents national supervisory authorities from investigating complaints over the levels of data protection provided by another country.
In its ruling, the ECJ determined that national supervisory authorities do indeed have that power, with the EU Commission unable to reduce or eliminate it in its decisions. The Court noted in particular the right to the protection of personal data that is guaranteed in the Charter of Fundamental Rights of the European Union.
Furthermore, the Court also said that the Commission was required to determine that the US ensures a level of protection of fundamental rights equivalent to those embodied in the above-mentioned Charter, either through US domestic law or international commitments. Such a requirement was not fulfilled by the EU executive, the ECJ said.
The fact that US public authorities are not subject to Safe Harbour, given that the framework only applies to companies that sign on, along with the fact that Washington’s national security, public interest, and law enforcement requirements could lead companies to “disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements,” was also cited by the ECJ as problematic, given that the Commission’s Safe Harbour decision does not note any US rules that would limit this same interference or provide legal protections against it.
Ultimately, the ECJ deemed that the Safe Harbour decision was itself invalid for a variety of reasons, citing among these the inability of individuals to seek redress in order to access their own personal data, or to erase or correct it, as well as the restrictions placed by the Commission to restrict national supervisory authorities’ powers when facing individual complaints.
In the wake of the ruling, technology companies in the US have reportedly been racing to update their terms of service and other operating policies in order to ensure that these are in line with the law.
Some industry associations have warned, however, that the uncertainty posed by the new ruling could be hugely damaging for companies, and have urged for more clarity on how to implement these findings.
“The ruling creates uncertainty for the European and international companies that rely on Safe Harbour for their commercial data transfers, most of which are small and medium-sized enterprises,” said Christian Borggren, Europe Director for the Computer & Communications Industry Association
Furthermore, Borggren said, suspending Safe Harbour is likely to “negatively impact Europe’s economy, hurt small and medium-sized enterprises, and the consumers who use their services, the most.”
Besides affecting the way technology companies operate, many analysts say that the ruling could affect the ongoing TTIP negotiations between the EU and the US, particularly given the parallel efforts between the two sides to update the Safe Harbour framework, a process that began in 2013.
The TTIP negotiations are now well into their second year, with the next negotiating round set for 9-23 October in Miami, Florida. While EU Trade Commissioner Cecilia Malmström and US Trade Representative Michael Froman pledged last month to speed up the talks, following a “political stocktaking” meeting in Washington, questions remain as to whether the lagging negotiations will be able to pick up speed. (See Bridges Weekly, 24 September 2015)
Civil society groups and EU parliamentarians have been among those raising concerns over whether and how the issue of data privacy might be addressed in TTIP, including what protection guarantees would be included with any provisions that deal with cross-border data flows. Similar questions have also been raised regarding other trade negotiating forums, including the ongoing talks among various WTO members for a Trade in Services Agreement (TISA), among others.
EU Commission, US officials respond
European Commission officials, for their part, have suggested that the ECJ ruling is actually an affirmation of EU citizens’ fundamental rights to data protection, with First Vice-President Frans Timmermans calling it “a confirmation of the European Commission’s approach for the renegotiation of the Safe Harbour.”
Given the ruling, Timmermans said the EU executive will now focus on three main priorities to address the issue: protection of personal data transferred between the EU and US; the continuation of such data flows with the necessary safeguards; and ensuring that EU law is applied in a uniform matter across the bloc’s internal market.
The EU official suggested that those companies that operated under such a framework can use other mechanisms for international transfers of data protection that are provided for under European law, with Timmermans pledging that the Commission will come out with “clear guidance” for national data protection authorities on how to respond to the ruling in regards to managing data transfer requests.
In a related statement, Věra Jourová, the EU Commissioner for Justice, Consumers, and Gender Equality, suggested that companies could use other mechanisms under EU data protection rules, such as standard data protection clauses in trans-Atlantic contracts between companies, as well as binding corporate transfer rules for within a corporate group.
The importance of finalising the Safe Harbour revisions swiftly was also raised by Jourová, who noted that the Commission has already tabled 13 recommendations on how to improve the Safe Harbour framework, which were put together in 2013 in light of the Snowden revelations.
Across the Atlantic, US officials have openly criticised the ECJ ruling, with Commerce Secretary Penny Pritzker calling the result “deeply disappointing.”
The decision, she warned, “creates significant uncertainty for both US and EU companies and consumers, and puts at risk the thriving transatlantic digital economy.” However, she affirmed that the US is ready to work with the European Commission in order to address this uncertainty, highlighting also the importance of completing the update to the Safe Harbour framework.
ICTSD reporting; “EU Court Says Data-Transfer Pact With U.S. Violates Privacy,” THE WALL STREET JOURNAL, 6 October 2015; “Safe Harbour: EU court ruling hits Facebook, Amazon,” FINANCIAL TIMES, 6 October 2015; “US tech companies overhaul operations after EU data ruling,” FINANCIAL TIMES, 6 October 2015.