EU Preliminary Ruling Puts US-EU Safe Harbor in Jeopardy

A Preliminary Opinion on a challenge to Facebook’s privacy practices has put in question the continued viability of the US-EU Safe Harbor program which permits data transfers between the US and European businesses.

FACEBOOK’S EUROPEAN NEMESIS.  Austrian Maximillan Schrems has become Facebook’s European nemesis after spending a semester at Santa Clara University School of Law convinced him that Facebook did not fully appreciate the breadth of European privacy law.  This led him to invoke the European “right to access” personal information to request Facebook’s data on him, and, as a result, Facebook was forced to produce over 1,200 pages of data it had collected on him (which he then made public).

After the Edward Snowden revelations about NSA data collection from U.S. tech firms, Schrems filed a complaint with the Irish data protection authority (which regulates Facebook’s European activities).  The Irish authority rejected the complaint since, under the US-EU Safe Harbor program the European Commission had determined that the United States ensures an adequate level of protection of the personal data transferred.

THE QUESTION:  The case went to the Irish High Court which then sought guidance from the EU Court of Justice whether that Commission decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.

THE ANSWER: The Court’s Advocate General Yves Bot stated that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the national supervisory authorities’ powers under the directive on the processing of personal data.

While Bot’s determination is advisory and not binding on the Court of Justice and the Judges of the Court are now beginning their deliberations in this case, his findings puts a cloud over the continued viability of the EU Safe Harbor as his findings challenged its continued viability.

This includes finding that:

• The law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection;
• The access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the EU Charter; and
• Since the access which the United States intelligence authorities may have to the personal data covers, in a generalized manner, all persons and all means of electronic communication and all the data transferred (including the content of the communications), without any differentiation, limitation or exception according to the objective of general interest pursued, it cannot be regarded as ensuring an adequate level of protection, and this is all the more so since the safe harbor scheme as defined in the Commission decision does not contain any appropriate guarantees for preventing mass and generalized access to the transferred data.

Bot believes that in light of these findings the US-EU Safe Harbor should be suspended pending resolution of current negotiations with the United States.

An elated Schrems responded by giving thanks to Snowden

I would like to use this opportunity to express my deep respect for the work of Edward Snowden, Glenn Greenwald and Laura Poitras who have made these mass surveillance systems public. Without their work and the donations of more than 2000 people, this issue would not be before the EU’s top court today.