On Tuesday morning, Europe’s highest court dealt a massive blow to thousands of US companies.
The European Court of Justice ruled that an executive decision by the European Commission in 2000 — Safe Harbour — is invalid. Without it, the legality of transferring data between Europe and the US has been thrown into jeopardy.
Below is a diagram demonstrating how Safe Harbour works. It comes from Europe-v-Facebook.org, a site run by Max Schrems, who initiated the legal proceedings that led to the ECJ’s decision.
If an American company like Facebook wants to transfer data on its users (or customers, or employees) outside of the EU, then it needs to comply with Article 25 of the EU data protection directive. This mandates that the transfer can only occur if there is “adequate protection” in place for the data subjects.
The Safe Harbour decision, issued in 2000, gave companies an easy way to comply. It unified Europe’s approach, meaning that companies like Facebook didn’t have to deal with dozens of different regulatory regimes throughout Europe.
But there was a problem: The NSA. Schrems, who is Austrian, brought a case against Facebook in Dublin — the location of the American company’s European headquarters. Schrems argued that the US spy agency’s surveillance programs, first disclosed by whistleblower Edward Snowden, meant that the US could not offer adequate protections.
However, the Irish data regulator rejected Schrems case. It argued that it was bound by the 2000 Safe Harbour decision.
So Schrems appealed to the European Court of Justice. After deliberating, the ECJ has ruled that Safe Harbour is “invalid.” The Court’s reasoning: “The existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities.”
In short, the European Commission’s Safe Harbour cannot usurp the powers of national authorities.
So what happens now? There are other ways to legitimise the transfer of data, but none are as straight-forward as Safe Harbour. Companies could seek the consent of the data subjects, or make use of model clauses pre-approved by the EU. Either way, it’s a huge legal headache.
The entire episode is illustrative of the growing mistrust in Europe of American spying, and the growing difficulties facing American companies seeking to operate on the continent.