The US-EU Safe Harbour Decision has been ruled invalid by the Court of Justice of the European Union (ECJ) today, with widespread ramifications for organisations ranging from cloud computing providers to multi-national companies that move information on customers and staff across the Atlantic.
The agreement was reached in 2000, following the introduction of the European Union Directive on the Protection of Personal Data which became effective October 1998. The Directive prohibits the transfer of data outside the EU to third party nations that don't meet the EU test of “adequacy” with regard to privacy protections. The Safe Harbour Decision enabled US organisations to “self certify” that their data protection systems met the EU adequacy test so they could lawfully transfer personal data from the EU to the US for the purposes of storage and processing.
Today's decision striking down Safe Harbour came about after an Austrian law student, Maximillian Schrems, a Facebook user since 2008, lodged a complaint with the Irish Data Protection Commissioner that his personal data was being unlawfully processed by Facebook in the US. His claims were based on revelations by Edward Snowden regarding cooperation between the US National Security Administration (NSA) and companies such as Facebook to access the personal data of social media users.
Today, Edward Snowden tweeted his congratulations to Schrem and the ECJ.
In its widely anticipated ruling, the court agreed with the ECJ advocate general, Yves Bot, who published his opinion on 23 September. “The access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the Charter,” Bot said in his opinion. Bot said that the agreement should have been suspended immediately following Snowden's revelations about the NSA.
The Court found that the Safe Harbour agreement compromised EU citizens' right to respect for private life, compromised the fundamental right to effective judicial protection and denied national supervisory authorities their powers to investigate breaches of the principles behind data protection.
Stewart Room, a partner at PwC Legal, said the Schrems case has revealed a significant flaw in the data protection regulatory framework – that the European Commission can adopt decisions which are binding on the national data protection regulators but the regulators still had a duty to investigate serious complaints. “Even though those decisions are binding on the regulator, the regulator is still obliged to investigate challenges to them. That's the riddle at the heart of this case,” he said. “So that flaw in the regime is something that the citizen has been able to take advantage of to deliver this fateful blow.”