Adrift: The impact of the ECJ’s Safe Harbour ruling by Camino Mortera-Martinez and Rem Korteweg
On October 6th, the European Court of Justice (ECJ) suspended the ‘Safe Harbour’ transatlantic agreement on data flows. In doing so, the Court overstretched its competence by answering a question it was not asked, and in the process changed the way the internet is governed. The decision has created legal uncertainty about whether companies can move data from the EU to the US. To avoid costly and wasteful bureaucracy inhibiting online commerce, the EU urgently needs to strike a new transatlantic deal on data flows. The Commission hopes to secure a new Safe Harbour agreement with the US. However, this agreement would not be immune from legal challenge in Europe. The US will insist that a new agreement has a national security exemption, meaning that the US National Security Agency (NSA) may continue to examine EU citizens’s data for security purposes. Therefore, a transatlantic agreement establishing when European countries and the US may violate privacy is required in addition to a new Safe Harbour agreement.
agreements exist with 11 countries, including Canada, Argentina and Israel). Companies that certified their compliance with Safe Harbour’s privacy principles were allowed to transfer data from Europe to servers located in the US. Schrems argued that Edward Snowden’s revelations about the NSA’s surveillance programme proved that the US violated EU privacy rights. He demanded that Facebook stop transferring his data to American servers. The Irish upper court (Facebook has its European headquarters in Ireland) referred the case to Luxembourg. It asked the ECJ to establish whether Safe Harbour gave national data protection authorities the power to examine a potential breach of privacy rules.
The ECJ’s decision came after Maximilian Schrems, an Austrian law student, took legal action against Facebook for breaching EU data protection laws. The Safe Harbour agreement allows EU citizens’ data to be transferred to other countries if their laws ensure an adequate protection of privacy. In 2000, the European Commission recognised that the US met that requirement. (Similar
The ECJ ruled that national authorities may do so. But it also decided to examine whether the US met the Safe Harbour principles. The EU judges decided that the US did not, because of Snowden’s disclosures. This may or may not be true, but what is surprising is that neither the US government nor Facebook were part of the proceedings. Their positions were not heard