In a move that could cost the EU up to 1.3 percent of its gross domestic product, according to the American Chamber of Commerce to the European Union, on Oct. 6 the European Court of Justice invalidated the 15-year old EU-US Safe Harbor Agreement in Schrems v. Data Protection Commissioner, causing some consternation among the more than 5,000 European and U.S. firms that rely on the Agreement to transfer EU data to U.S. servers. Given its potential impacts this case is important to consider on its own merits, but it should also be read as another step in a growing rift between the EU and U.S. not only on privacy law, but also the future of Internet governance itself.
The case was brought by an Austrian law student and civil rights advocate, Maximilian Schrems, who sought to challenge Facebook's international data transfers from Ireland (where Facebook's European subsidiary is headquartered) to the U.S. arguing that this practice infringes his privacy rights due to the potential for U.S. government surveillance. The Irish Data Protection Commissioner rejected Schrems' complaint on the grounds that the European Commission had already decided that the U.S. ensured an adequate level of privacy protections. Schrems appealed that decision to the Irish High Court, which referred the dispute to the European Court of Justice.
At the heart of the case was the Safe Harbor Agreement negotiated between the EU and U.S. in response to the 1998 EU Data Protection Directive (DPD), which in part prohibited the transferring of data on EU persons to non-EU nations that do not maintain "adequate" privacy safeguards. The agreement left U.S. firms (many of which then, as now, are global tech leaders) in a difficult position given that, until the Safe Harbor Agreement was finalized, U.S. privacy law was found to be inadequate. Still, it was largely successful at easing transatlantic data flows, at least until the 2013 revelations by Edward Snowden. These resulted in 13 recommendations by the European Commission for revising Safe Harbor, and set the stage for the Schrems.
In its Schrems decision the ECJ noted that carve outs in the Safe Harbor Agreement -- such as for U.S. national security, public interest, and law enforcement -- opened the door for bulk data collection including the NSA program codenamed PRISM. This reasoning led the ECJ to hold that: (1) the U.S. bulk collection of personal data violated the privacy rights of EU citizens and (2) that EU citizens were not afforded the opportunity to challenge these U.S. practices, compromising their right to judicial review. Ultimately the ECJ decided that no amount of self-certification could get around U.S. surveillance practices, which were found to be irreconcilable with EU privacy law (even though the USA Freedom Act, passed prior to the Schrems ruling, outlaws the kind of bulk data collection that this ECJ decision says violates the DPD). It also found that the ECJ alone has the power to decide whether or not European Commission decisions on the privacy practices of other nations are valid.
Read the full post at Huffington Post.