In a decision that is reverberating across the digital economy, the European Court of Justice on Tuesday struck down a transatlantic agreement that enables companies to transfer data from Europe to the United States, finding that European data is not sufficiently protected in the United States.
The ruling will affect more than 4,400 U.S. and European companies that rely on the agreement to move data back and forth across the Atlantic to support trade and jobs. It also could have huge implications for U.S. intelligence agencies, which depend on an ability to sift through large volumes of data in search of clues to disrupt terrorist plots.
The decision invalidated the Safe Harbor framework of 2000, reached between the United States and the European Commission. Tuesday’s ruling grew out of revelations by a former National Security Agency contractor, Edward Snowden, about the scope of NSA surveillance.
The Obama administration reacted with dismay.
“We are deeply disappointed in today’s decision from the European Court of Justice, which creates significant uncertainty for both U.S. and [European Union] companies and consumers, and puts at risk the thriving transatlantic digital economy,” Commerce Secretary Penny Pritzker said in a statement.
For the past two years, the United States has worked with the European Commission to strengthen the framework, Pritzker said. “The court’s decision necessitates release of the updated Safe Harbor Framework as soon as possible,” she said.
She added that the administration is prepared to work with the commission “to address uncertainty created by the court decision” for thousands of businesses.
In the immediate term, data will continue to flow, analysts said. But the risks associated with those data flows have multiplied exponentially, they say.
“It’s regulatory roulette,” said Trevor Hughes, president and chief executive of the International Association of Privacy Professionals. “What we see is that a major mechanism for allowing those data transfers to occur has now gone away. Those data transfers are not going to stop. However, many companies today are now likely out of compliance with the expectations of European law, which opens them to regulatory enforcement in Europe and elsewhere.”
The case began with an Austrian citizen and Facebook user, Max Schrems, who in 2013 lodged a complaint with the Irish data protection commissioner alleging that his Facebook data, which is transferred from Facebook’s Irish subsidiary to servers in the United States, was inadequately protected. He based his allegations on news reports that summer describing the NSA’s surveillance reach, based on documents leaked by Snowden.
The Irish commissioner rejected Schrems’s complaint, citing a European Commission decision from 2000 that determined that the United States, under Safe Harbor, ensures the privacy of data that is transferred.
On review, the Irish High Court referred to the European Court of Justice the question of whether a national data-protection authority is bound by the commission’s finding. Last month, the Court of Justice’s advocate general issued an advisory opinion, concluding that national privacy authorities are not bound by the commission’s decision. He also concluded that Safe Harbor itself lacks adequate privacy protections for transferred data.
The European court’s ruling has two key provisions. First, it ruled that each data-protection authority may examine whether a transfer of data complies with European privacy rules and raise it with its national court if it thinks it does not. The national court can then refer it to the European Court of Justice for a ruling.
Second, it ruled the Safe Harbor agreement itself is invalid. It stated that the agreement places “national security, public interest or law enforcement requirements” over privacy principles.
As such, the court said, it enables “interference, founded on national security and public interest requirements,” with the “fundamental rights of the persons” whose personal data is transferred across the Atlantic. It found that in agreeing to Safe Harbor in 2000, the European Commission did not determine whether U.S. law provides adequate privacy protection for Europeans.
But the court left open the door to the commission to make specific findings that U.S. law provides adequate privacy protections, especially compared with European laws, said Michael Vatis, a partner at Steptoe and Johnson and a former Justice Department official.
In Europe, Vatis said, many intelligence services can collect personal data without any court approval. And, he added, many citizens do not have the right to complain that their intelligence services have inaccurate data on them and seek to have it corrected.
Daniel Castro, a vice president at the Information Technology and Innovation Foundation, said that “it’s really hard to imagine anything that can be more disruptive to the digital economy than this.” The ruling, he said, is rooted in European discontent with the U.S. government’s access to information. “The problem is, though, they’re punishing the companies,” he said.
He asserted that rather than strike down Safe Harbor, Europeans should have created “Safe Harbor 2.0” by taking into account concerns raised by the Snowden disclosures.
Myron Brilliant, U.S. Chamber of Commerce executive vice president, said that “it is particularly alarming that this long-standing agreement has been invalidated with no discussion of a transition period or guidance regarding how companies should comply with the law while a new agreement is negotiated or as they transition to new mechanisms.”
There are other mechanisms by which firms may be able to transfer data, said Renzo Marchini, special counsel at the Dechert law firm in London. They may, for instance, sign a “standard clause” or document approved by the European Commission that guarantees certain privacy protections. “A lot of people are going to be scurrying around trying to sign up to these documents,” he said.
“It is too early to say [the ruling] will be catastrophic,” Marchini said. “But it will make life difficult for people in the short term while the dust settles.”
On Tuesday, Facebook released a statement saying: “This case is not about Facebook. The Advocate General himself said that Facebook has done nothing wrong.”
The company added that it “relies on a number of the methods prescribed by E.U. law to legally transfer data to the U.S. from Europe, aside from Safe Harbor.”
The top lawyer for the U.S. intelligence community objected this week to the argument that U.S. surveillance is overly broad. Robert Litt, general counsel for the Office of the Director of National Intelligence, said in an opinion piece in the Financial Times that the program the Europeans were pointing to “does not give the U.S. ‘unrestricted access’ to data.”
And an ODNI spokesman, Brian Hale, said, “Our legal framework for intelligence collection includes robust protection for privacy rights under multiple layers of oversight.”
Nonetheless, some privacy advocates said the ruling should prod Congress to enact greater privacy protections on U.S. surveillance programs.
“Today’s ruling shows the need to step up reforms of government surveillance practices. There is a clear need for the U.S. and Europe to set clear, lawful and proportionate standards and safeguards for conducting surveillance for national security purposes,” said Jens Henrik-Jeppesen, director of European affairs for the Center for Democracy and Technology.
In response to the ruling, the Irish data privacy commissioner, Helen Dixon, on Tuesday directed her legal team to bring Schrems’s case back “as soon as practicable” before the Irish High Court.