Europe’s Top Court Strikes Down ‘Safe Harbor’ Data-Transfer Agreement With U.S.

The European Court of Justice has today declared invalid the Safe Harbor data-transfer agreement that has governed EU data flows across the Atlantic for some fifteen years.

“The Court of Justice declares that the Commission’s U.S. Safe Harbour Decision is invalid,” the ECJ said in a statement today, reported by Reuters.

Some 4,700 companies rely on Safe Harbor to operate businesses in the region. It affects those companies that outsource data processing of E.U. users’ data to the U.S.

The Safe Harbor executive decision allows companies to self certify to provide “adequate protection” for the data of European users to comply with the European data protection directive, and with fundamental European rights such as the right to privacy (under Article 8 of the European Convention for the Protection of Human Rights).

In an EC press conference on the ECJ ruling today, FVP of the Commission, Frans Timmermans, said: “Today’s judgement by the court is an important step towards upholding European’s fundamental rights to data protection. The court confirms the need of having robust data protection safeguards in place before transferring citizens data.”

The Safe Harbor rules were already under review by the European Commission, in the wake of the Snowden revelations expose of how U.S. intelligence agencies’ surveillance apparatus taps into commercial Internet services, with data protection commissioner Viviane Reding stating back in July 2013 that Safe Harbor “may not be so safe”.

The Commission issued 13 recommendations for improving Safe Harbor in November 2013 but negotiations to rework the framework are ongoing.

“We have been working with the American authorities to make data transfers safer for European citizens. In light of the ruling we will continue this work towards a renewed and safe framework for the transfer of personal data across the Atlantic. In the meantime transatlantic data flows between companies can continue using other mechanisms for international transfer of personal data available under EU data protection law,” added Timmermans.

Today’s ECJ’s judgement is the culmination of a 2013 legal challenge by European privacy campaigner Max Schrems who filed complaints against several U.S. Internet giants — including Facebook — in the Irish courts for alleged collaboration with the NSA’s Prism program. The Irish courts dismissed the complaint, on the grounds that the European Safe Harbor agreement governed such data flows — referring the case to the ECJ. The latter has now ruled that European data protection authorities cannot rely on the umbrella of Safe Harbor to govern their decisions.

In an initial response to the ruling, Schrems said it “draws a clear line” by clarifying that mass surveillance “violates our fundamental rights”.

His statement reads:

I very much welcome the judgement of the Court, which will hopefully be a milestone when it comes to online privacy. This judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible.

The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it.

This decision is a major blow for US global surveillance that heavily relies on private partners. The judgement makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights.

At the same time this case law will be a milestone for constitutional challenges against similar surveillance conducted by EU member states.

There are still a number of alternative options to transfer data from the EU to the US. The judgement makes it clear, that now national data protection authorities can review data transfers to the US in each individual case – while ‘safe harbor’ allowed for a blanket allowance. Despite some alarmist comments I don’t think that we will see mayor disruptions in practice.

Late last month, the top advisor to the ECJ, Yves Bot, issued an opinion that suggested the court would invalid Safe Harbor. In a last minute PR scramble in recent weeks — as the ECJ decision loomed — both the U.S. mission in Europe and Robert Litt, the general counsel from the office of US director of national intelligence, have been attempting to argue that U.S. intelligence operates ‘targeted’ not mass surveillance, despite the dragnet approached detailed in the Snowden documents.

Writing in an article in the FT only yesterday, Litt argued that the NSA’s Prism data harvesting program “does not give the US “unrestricted access” to data”, claiming: “Rather, the US may obtain communications only relating to specific identifiers, such as an email address or telephone number; only if the US believes those identifiers are being used to communicate foreign intelligence information; and only with the legally compelled assistance of communications service providers under the supervision of an independent court.”

Such interventions have clearly failed to sway the court, however, which notes in its judgement today earlier conclusions by the European Commission that “the large-scale access by intelligence agencies to data transferred to the [U.S.] by Safe Harbor certified companies raises additional serious questions regarding the continuity of data protection rights of Europeans when their data is transferred to the [U.S.].”

Referring to the EC’s November 2013 communication, the ECJ further notes: “It is apparent, in particular, from points 3 to 5 and 8 of Communication COM(2013) 847 final that, in practice, a significant number of certified companies did not comply, or did not comply fully, with the safe harbour principles.”

Commenting on the ruling to TechCrunch, Marion Oswald, senior fellow in law at the University of Winchester, adds: “It seems to be definitely that the court is making a definite decision about the privacy impact of mass surveillance. It is concerned also about individuals having a way of challenging that and having a right of recourse via their own domestic data protection authorities.”

So what happens next, from the tech industry perspective? The judgement opens U.S. Internet businesses with users in Europe to privacy challenges if they are processing E.U. data in the U.S. The court has not allowed for a transitionary period, which may accelerate moves by U.S. Internet companies to adopt strong encryption — something we have already been seeing in the wake of the Snowden revelations.

Or else companies will need to restructure their European data processing operations — such as building European data centers to process regional data — although such shifts might require other significant procedural changes in how they manage user data flows, so could entail significant time and expense. Larger companies may have the resource to restructure (more) quickly, but smaller entities may struggle. (One type of business that will be gaining uplift from the ruling and the uncertainty it generates is the law firms that will now be deluged for advice…)

Schrems argues there may be a political fix in the near term if the EC and the U.S. government hammer out a new Safe Harbor agreement, although he argues it “will very likely require severe changes in US law and more than just an update to the current ‘safe harbor’ system”, adding: “Otherwise full compliance with EU fundamental rights and the judgement will be very hard to achieve.”

Commenting on the ECJ ruling in a statement, MEP and Civil Liberties Committee Chair, Claude Moraes, said it forces the EC to act to “come up with immediate alternative to Safe Harbor” — although he expressed disappointment at the lack of a more detailed EC update on the process. “The Commission has been in negotiations with the U.S. for over a year on improving the framework but we have still received no update on these discussions,” he noted.

“The Commission must immediately put forward a new complete and strong framework for transfers of personal data to the US which complies with requirements of EU law as enshrined in the Charter of Fundamental Rights and EU data protection rules and provide our citizens with solid, enforceable data protection rights and effective independent supervision,” he added.

Speaking during the Commission press conference, EC justice commissioner Vera Jourová noted there are alternative mechanisms for companies to share data ahead of an updated Safe Harbor framework, such as “standard data protection clauses in contracts” or “binding corporate rules for transfers within a corporate group”.

“Also the data protection rules include derogations under which data can be transferred on the basis of performance of a contract,” she continued. “For instance if you book a hotel in the U.S. your personal data are transferred there in order to fulfill the contract. Another options is important public interest grounds, such as co-operation between authorities in the fight against fraud cartels and so on.

“Another option: the vital interest of the data subject. It means in urgent life or death situations personal data, such as medical records, can be transferred internationally in the person’s own interest. Or if there is no other ground, the free and informed consent of the individual.”

She also confirmed that negotiations on the update to Safe Harbor are still ongoing, but declined to give a timeframe for completion, saying national security issues have required more time for the process — although she did suggest the ECJ ruling invalidating Safe Harbor gives the Commission a stronger negotiating position as those discussions continue.

U.S.-based pro-privacy and digital rights organization, TACD, today dubbed the ECJ ruling “a major global victory for privacy”. It advocates for a global set of data protection standards, and for the U.S. specifically to enact a comprehensive set of data privacy rules to bring it into line with other global regions that do have such rules.

In a statement, Finn Myrstad, EU chair of the TACD Information Society Policy Committee, said: “This case, and multiple others, has shown the privacy and fundamental rights of European citizens are not respected. We need a much better framework that engenders trust and promotes privacy and security of personal information. Only then can we have a digital economy to the benefit of consumers on both sides of the Atlantic.”

We need a much better framework that engenders trust and promotes privacy and security of personal information.

In the short term the ECJ ruling puts more emphasis on national data protection authorities, which will be fielding any complaints and ruling on them. So regional differences could be be significant, as Winchester’s Oswald notes.

“There’s been a lot of difference in terms of the attitude of different national DPAs to big corporates in particular,” she told TechCrunch. “In the U.K. the ICO certainly has taken a very business friendly approach. They’ve a tendency to come to negotiated agreements rather than taking aggressive enforcement action, whereas on the continent in particular the attitude has been quite different.”

“There may well be a risk here that there will be different views taken, and a different approach taken — certainly in the U.K. to some of the DPAs on the continent,” she added.

However the EC stressed as one of its priorities in the wake of the judgement to issue “clear guidance” for national data protection authorities — specifically to avoid any “patchwork” or fragmentation in their response, and ensure a “co-ordinated European approach in the internal market” to ensure more clarity for businesses.

“The Commission will work closely with the data protection authorities,” said Jourová. “We’ve started intensive discussions with the DPA authorities and with the Working Party 29 because what we have to ensure together is the unified approach of the data protection authorities because now we are under 28 regimes.”

(The WP29 has also now put out a response statement, in which it notes it will be kicking off initial expert discussions this week — “in order to provide a coordinated analysis of the Court’s decision and to determine the consequences on transfers” — with a full meeting of the working party due to be “shortly scheduled”.)

The forthcoming update to the EC’s data protection directive — another big EU reform still in train but which Jourová confirmed will be completed this year — is also set to harmonize rules across national data protection authorities. So the ECJ ruling looks to be accelerating the existing European data protection trajectory in that regard.

“The Commission will also do what it can to offer assistance and help to business who are looking for answers on how to facilitate data transfers in light of the judgement. We will put relevant information and contact points on our website,” added Jourová.

Responding to the ruling in a statement, the Irish data protection commissioner Helen Dixon confirmed the original Schrems case will return to court in Ireland, saying she is taking steps to bring the case “back as soon as practicable before the Irish High Court”. So Schrems will get his day in Irish court (again).

“In declaring the old ‘safe harbor’ rules invalid, however, the significance of the judgment extends far beyond the case presently pending in Ireland,” Dixon added. “In that regard, my Office will immediately engage with our colleagues in other national supervisory authorities across Europe to determine how the judgment can be implemented in practice, quickly and effectively, particularly insofar as it impacts on EU/US data transfers.”

separate landmark ECJ judgement earlier this month — which ruled in favor of the Hungarian data protection authority vs a Slovakian property website called Weltimmo — may have additional implications for the application of the Safe Harbor ruling.

The Weltimmo ruling effectively means that if a company operates a service in a country it can be held accountable by that country’s national data protection agency — despite not being headquartered there. So Internet businesses such as Facebook which offer services to, for instance, German and French users may find themselves under the jurisdiction of German or French DPAs, rather than as has been the case up to now only the Irish DPA. (Related and relevant: Facebook’s privacy-related court clash with the Belgian DPA.)

The Weltimmo ruling seems another good reason for the EC to try to get national data protection authorities acting as one. The alternative, as Essex University’s Professor Lorna Woods posits, is a situation where companies targeting services at citizens of multiple European countries could have an obligation to “comply with multiple views” on what is ‘adequate’ in terms of data protection, based on variable attitudes at the national level.

“If you’re targeting people in say Germany or Belgium or wherever else then they could still say in relation to our citizens you’ve got to comply with our view of what’s adequate [privacy and data protection]. But there could be an obligation on a company to comply with multiple views of adequate,” she suggests.

Woods points to additional issues that have emerged around the operation of Safe Harbor in recent times — regarding the robustness of the self certification process, and failures by companies to comply with the rules — and says the ECJ is picking up on these problems. So the ruling is about more than just the Snowden disclosures.

“It’s saying ‘not only is it about the level of protection, it’s the practice’,” she says. “You can have this wonderful system on paper; we’re actually saying you’ve got to ensure it.

“And here we have in the background the fact that the Safe Harbor system is self certification, and we have in the background the recent activity by the FTC on companies that haven’t data self certified, they’ve not kept their certification up to date, they haven’t really done what they’ve said they’ve done. They’ve been all sorts of problems. So there’s that in the background.”

The EC’s Jourová also referred to this issue — noting in a Q&A session at today’s press conference the need for “stronger monitoring of compliance of rules under Safe Harbor on the commercial part”.

“There we already achieved quite a lot of good results in communication and negotiations with the American Department of Commerce and, I must say, that we received very strong commitments from the American authorities that there will be continuous monitoring of the reinforced Safe Harbor,” she added.

Woods’ broader view is the ECJ ruling could have serious implications for big data business models in general if companies are relying on similarly indiscriminate access to information as government intelligence agencies were revealed to have been by the Snowden disclosures.

“Quite clearly the main thrust of this is there has been an issue with… the possibility of indiscriminate access to data of all sorts,” she says, adding: “The [ECJ] are not distinguishing, interestingly enough, between data and content either. So they’re saying we don’t care whether it’s sensitive data or not sensitive data — you shouldn’t be accessing it.

“I think there is a broader issue which I don’t think we’ve got to the bottom of in Schrems. I think the court is certainly trying to limit what it’s saying but the questions are there — and the questions are there for the businesses such as Facebook, Google. Big data business models I suppose you could reduce it to. So that’s quite interesting.”

“It’s probably going to be politically inconvenient,” Woods adds. “It’s going to have repercussions on all those American data industries. Potentially far-reaching… Those companies that hoover up loads of data will be scratching their heads about this.”

Trevor Hughes, VP of Research at The International Association of Privacy Professionals, agrees there are likely to be “broader ripple affects” — although what those effects might be are not clear at this point. What is clear is that data sharing across the Atlantic has become far more legally complex for businesses than it was yesterday.

“To begin with data flows have not stopped today. Data continues to flow between Europe and the United States and will likely continue to flow for the foreseeable future,” Hughes tells TechCrunch. “It’s unlikely that will stop. However the risk profile for organizations has increased exponentially.

“Theoretically every organization that previously was in the Safe Harbor is out of compliance with European data protection law today and is subject to the enforcement risks of a data protection authority coming after them. How organizations respond to that — whether they begin to build more data centers in Europe — whether they seek other mechanisms for permissively transferring data, not just to the U.S. but around the world, I think a lot remains to be seen as to how we move forward.”

“Big data, cloud providers, global multinationals, large Internet and tech companies — I think all are spending a lot of time today assessing exactly what their risks are and what this means,” he adds.