Peter A Clarke

The press release says it all –The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid.   The decision, officially titled Maximillian Schrems v Data Protectin Commissioner is found here.  The Safe Harbour agreement was the basis by which data could be transferred from the EU to the USA in compliance, or that was the theory, with  EU data regulations.  As to how effective it did this was always the issue and the Federal Trade Commission was kept busy prosecuting organisations that did not comply with the Safe Harbour Agreement.

The issue is how will this impact data transfers in the immediate term.  The BBC has undertaken a good review and analysis in Facebook data transfers threatened by Safe Harbour ruling.

It provides:

A pact that helped the tech giants and others send personal data from the EU to the US has been ruled invalid.

The European Court of Justice said that the Safe Harbour agreement did not eliminate the need for local privacy watchdogs to check US firms were taking adequate data protection measures.

It added that the ruling meant Ireland’s regulator now needed to decide whether Facebook’s EU-to-US transfers should be suspended.

The pact has existed for 15 years.

Facebook has denied any wrongdoing.

“This case is not about Facebook,” said a spokeswoman.

“What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows.

“We will of course respond fully to any enquiries by our regulator the Irish Data Protection Commission as they look at how personal data is being protected in the US.

The ruling was the result of a legal challenge by an Austrian privacy campaigner concerned that the social network might be sharing Europeans’ personal data with US cyberspies.

“I very much welcome the judgement of the court, which will hopefully be a milestone when it comes to online privacy,” said Max Schrems on learning of the judgement.

“It clarifies that mass surveillance violates our fundamental rights.”

But others warned it could have far-reaching consequences.

“Thousands of US businesses rely on the Safe Harbour as a means of moving information to the US from Europe,” said Richard Cumbley from the law firm Linklaters.

“Without Safe Harbour, they will be scrambling to put replacement measures in place.”

The European Commission said it would issue “clear guidance” in the coming weeks to prevent local data authorities issuing conflicting rulings.

Let’s start from scratch. What exactly is Safe Harbour?

The term refers to an agreement struck by the EU and US, that came into effect in 2000.

It was designed to provide a “streamlined and cost-effective” way for US firms to get data from Europe without breaking its rules.

The EU forbids personal data from being transferred to and processed in parts of the world that do not provide “adequate” privacy protections.

So, to make it easier for US firms – including the tech giants – to function, Safe Harbour was introduced to let them self-certify that they are carrying out the required steps.

More than 5,000 US companies make use of the arrangement to facilitate data transfers.

Why was it challenged?

In 2013, whistleblower Edward Snowden leaked details about a surveillance scheme operated by the NSA called Prism.

It was alleged the agency had gained access to data about Europeans and other foreign citizens stored by the US tech giants.

Privacy campaigner Max Schrems asked the Irish Data Protection Commission to audit what material Facebook might be passing on.

However, the watchdog declined saying the transfers were covered by Safe Harbour.

When Mr Schrems contested the decision, the matter was referred to the European Court of Justice.

The case reflected a clash between two cultures: in the EU, data privacy is treated as a fundamental right; in the US, other concerns are sometimes given priority.

So, what are the immediate implications of the court’s ruling?

Personal data should no longer be transferred to US bodies solely on the basis they are Safe Harbour-certified.

Instead to authorise the “export” of the data, the two bodies involved must draw up and sign what’s referred to as “model contract clauses”, which set out the US organisation’s privacy obligations.

“It will involve lots of contracts between lots of parties and it’s going to be a bit of a nightmare administratively,” commented Nicola Fulford, head of data protection at the UK law firm Kemp Little.

“The model clauses themselves are standard form – what you need to put into them are details of the data involved and the security steps being taken.

“It’s not that we’re going to be negotiating them individually, as the legal terms are mostly fixed, but it does mean a lot more paperwork and they have legal implications.”

All of this will drive up costs and potentially cause delays.

Does this mean the tech giants are going to have to halt or alter some of their services?

It depends on who you speak to.

The big-name firms are being guarded about what they say.

Sources at one firm suggest it believes it already has all the necessary contracts drawn up and processes in place to avoid any disruption.

But an insider at another company suggests that it may have to alter or stop some of its data transfers across the Atlantic.

What everyone agrees on, however, is that the ruling will have wider impact.

“It’s not just about companies whose core activities is data processing – i.e. the Facebooks of the world – it’s the companies who don’t have data processing capabilities of their own and transfer personal data abroad to get it done,” explains Allie Renison from the UK’s Institute of Directors.

“So, if you’re a company that sends payroll data for administrative purposes across to the US, that becomes an issue.

“Likewise, it affects you if you’re a firm trying to send over data about your customers for a marketing campaign.”

Shouldn’t everyone be prepared for this – after all this was referred to the ECJ more than a year ago?

Yes – but few expected the court to rule on the matter so quickly.

Having said that, while some data privacy regulators – including the UK and Ireland’s – said they were satisfied with Safe Harbour’s stamp of approval, Germany’s watchdogs raised concerns years ago.

As far back as 2010, they told local firms they were still obliged to check whether Safe Harbour-certified organisations were actually taking adequate measures, and suggested they draw up model contract clauses to avoid any doubt.

Those data privacy watchdogs could face more work now, right?

Potentially, yes.

If people challenge whether adequate steps to protect their data are being taken, the regulators may now need to intervene.

Max Schrems certainly intends to try again to make the Irish Data Protection Commissioner look into Facebook.

It should, however, be stressed that the social network strongly denies providing “backdoor” access to the US intelligence agencies.

Can’t the EU and US just sign a new data-sharing agreement that would satisfy the ECJ’s concerns?

Yes – but that’s not as simple as it sounds.

The US and EU have in fact been negotiating to update the Safe Harbour pact for nearly two years, and won’t say when they hope to conclude a deal.

Following Snowden’s leaks, the EU sought to limit the circumstances under which the US authorities could access transferred data, and threatened to veto any future trade agreements if a new deal was not stuck.

But despite repeated reports than an agreement was close, the two sides have failed to agree terms.

To further complicate matters, they recently agreed in principle a separate data-sharing deal called the Umbrella Agreement, which governs how their law enforcement agencies share data.

But the EU has said it would only finalise the pact if Europeans are given the right to sue US companies in American courts for misusing their data.

The US seemed set to agree, but now its politicians may retaliate against the ECJ’s ruling by refusing to grant the privilege.

It is also covered in CJEU: EU-US Safe Harbor framework is invalid which provides:

The Court of Justice of the European Union (CJEU) has in its decision today declared that transfers of personal data from the EU to the US cannot rely on the Safe Harbor framework agreement.

The Court said that it is for the national Data Protection Authorities (DPAs) to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the EU Data Protection Directive.

Max Schrems, who brought the case against Ireland’s DPA said: “There are still a number of alternative options to transfer data from the EU to the US. The judgement makes it clear, that now  national  data  protection  authorities  can  review  data  transfers to the  US  in each  individual  case – while ‘Safe Harbor’ allowed for a blanket allowance.  Despite some alarmist comments I don’t think that we will see major disruptions in practice.”

The European Parliament’s Civil Liberties Committee Chair Claude Moraes said: “The decision by the European Court of Justice today, declaring the invalidity of the Safe Harbour agreement, forces the European Commission to act in order to ensure that transatlantic transfers of personal data of EU citizens to companies in the US offer the continuity of protection required by EU law and come up with immediate alternative to Safe Harbour. The Commission has been in negotiations with the US for over a year on improving the framework but we have still received no update on these discussions.”

“The Commission must immediately put forward a new complete and strong framework for transfers of personal data to the US which complies with requirements of EU law as enshrined in the Charter of Fundamental Rights and EU data protection rules and provide our citizens with solid, enforceable data protection rights and effective independent supervision.”

Ireland’s High Court is now required to examine Mr Schrems’ complaint to decide whether transfer of the data of Facebook’s European subscribers to the US should be suspended on the ground that the US does not afford an adequate level of protection of personal data.

Helen Dixon, Ireland’s Data Protection Commissioner, today welcomed the ECJ’s decision and stated that she has instructed her legal team to take action to swiftly bring the case back to the High Court. She will also “immediately engage with our colleagues in other national supervisory authorities across Europe to determine how the judgement can be implemented in practice, quickly and effectively, particularly as it impacts on EU/US data transfers.”

The CJEU’s decision has major implications not only for Facebook, the subject of this case, but also for other US Internet companies, such as Google, Apple, Microsoft and Yahoo. They may become subject to investigations by individual EU DPAs if they have not secured personal data in the EU from US surveillance.

It is obvious that there needs to be a new structure in place soon.  From the ECJ’s perspective the best approach would be for the US to overhaul its data protection legislation.  That is not going to happen any time soon.  So a new bespoke arrangement that somehow permits data transfers from the EU to the US with the assurance that such data will be retained, used and disclosed in compliance with EU laws.  The BBC reports on the scrambling going on by the EU Commission in European Commission promises new data transfer guidance.