The ruling will affect more than 4,400 U.S. and European companies that rely on the agreement to move data back and forth across the Atlantic to support trade and jobs. It also could have huge implications for U.S. intelligence agencies, which depend on an ability to sift through large volumes of data in search of clues to disrupt terrorist plots.
The decision invalidated the Safe Harbor framework of 2000, reached between the United States and the European Commission. Tuesday's ruling grew out of revelations by a former National Security Agency contractor, Edward Snowden, about the scope of NSA surveillance.
The Obama administration reacted with dismay.
"We are deeply disappointed in today's decision from the European Court of Justice, which creates significant uncertainty for both U.S. and [European Union] companies and consumers, and puts at risk the thriving transatlantic digital economy," Commerce Secretary Penny Pritzker said.
For the past two years, the United States has worked with the European Commission to strengthen the framework, Pritzker said in a statement. "The court's decision necessitates release of the updated Safe Harbor Framework as soon as possible," she said.
She added that the administration is prepared to work with the commission "to address uncertainty created by the court decision" for thousands of businesses.
In the immediate term, data will continue to flow, analysts said. But the risks associated with those data flows have multiplied exponentially, they say.
"It's regulatory roulette," said Trevor Hughes, president and chief executive of the International Association of Privacy Professionals. "What we see is that a major mechanism for allowing those data transfers to occur has now gone away. Those data transfers are not going to stop. However, many companies today are now likely out of compliance with the expectations of European law, which opens them to regulatory enforcement in Europe and elsewhere."
The case began with an Austrian citizen and Facebook user, Maximillian Schrems, who in 2013 lodged a complaint with the Irish data protection commissioner alleging that his Facebook data, which is transferred from Facebook's Irish subsidiary to servers in the United States, was inadequately protected. He based his allegations on news reports that summer describing the NSA's surveillance reach based on documents leaked by Snowden.
The Irish commissioner rejected Schrems's complaint, citing a European Commission decision from 2000 that determined that the United States, under the safe-harbor scheme, ensures the privacy of data that is transferred.
On review, the Irish High Court referred to the European Court of Justice the question of whether a national data protection authority is bound by the commission's finding. Last month, the court of justice's advocate general issued an advisory opinion, concluding that national privacy authorities are not bound by the commission's decision. He also concluded that the safe harbor itself lacks adequate privacy protections for transferred data.
The European court's ruling has two key provisions. First, it ruled that each data-protection authority may examine whether a transfer of data complies with European privacy rules and raise it with their national court if they feel it does not. The national court can then refer it to the European Court of Justice for a ruling.
Second, it ruled the safe-harbor agreement itself is invalid. It found that in agreeing to the Safe Harbor in 2000, the European Commission did not make the necessary findings about the adequacy of US privacy laws. It stated that the agreement places "national security, public interest or law enforcement requirements" over privacy principles.
As such, the court said, it enables "interference, founded on national security and public interest requirements" with the "fundamental rights of the persons" whose personal data is transferred across the Atlantic.
"It's really hard to imagine anything that can be more disruptive to the digital economy than this," said Daniel Castro, vice president of the Information Technology and Innovation Foundation. The ruling, he said, is rooted in European discontent with the U.S. government's access to information. "The problem is, though, they're punishing the companies," he said.
He asserted that rather than strike down Safe Harbor, Europeans should have created "Safe Harbor 2.0" by taking into account concerns raised by the Snowden disclosures.
There are other mechanisms by which firms may be able to transfer data, said Renzo Marchini, special counsel at Dechert law firm in London. They may, for instance, sign a "standard clause" or document approved by the European Commission that guarantees certain privacy protections. "A lot of people are going to be scurrying around trying to sign up to these documents," he said.
"It is too early to say [the ruling] will be catastrophic," Marchini said. "But it will make life difficult for people in the short term while the dust settles."
The top lawyer for the U.S. intelligence community objected this week to the argument that U.S. surveillance is overly broad. Robert Litt, general counsel for the Office of the Director of National Intelligence, said in an opinion piece in the Financial Times that the program the Europeans were pointing to "does not give the U.S. 'unrestricted access' to data." Rather, he said, the intelligence agencies may obtain information "only relating to specific identifiers, such as an e-mail address or telephone number," under a court directive and only if the identifiers are being used to communicate "foreign intelligence information."
Nonetheless, privacy advocates said the ruling should prod Congress to enact greater privacy protections on U.S. surveillance programs.
"Today's ruling shows the need to step up reforms of government surveillance practices. There is a clear need for the U.S. and Europe to set clear, lawful and proportionate standards and safeguards for conducting surveillance for national security purposes," said Jens Henrik-Jeppesen, director of European Affairs for the Center for Democracy and Technology. "The invalidation of the Safe Harbor agreement should spur governments on both sides of the Atlantic to ratchet up long-overdue reform efforts."
In response to the ruling, the Irish data privacy commissioner, Helen Dixon, on Tuesday directed her legal team to bring Schrems's case back "as soon as practicable" before the Irish High Court.
"As a practical matter," said Stewart Baker, a partner at Steptoe & Johnson, "it would be very hard for the Irish authorities to come to any conclusion other than that the Safe Harbor needs to be revised." That likely will mean, he said, that Facebook will have to seek other means of complying with data protection rules in Europe
Share
