Tag Archives: EU Safe Harbor

European Court Of Justice Rules On Safe Harbor Agreement

As many people expected, the European Court Of Justice, the highest court controlling European Union law,  ruled in favor of Max Schrems and said that the Safe Habor Agreement, negotiated between the United States and the European Union  in the mid 1990s is invalid and does not provide EU citizens with the protections mandated by the EU data protection directive.

I am currently on a conference call with 2,000 other privacy professionals discussing the impact of this ruling.

The short version is that technically, many companies are now transferring data in violation of the law between Europe and the United States, but that executives should not panic.  Yet.

One part of the ruling is that the EU country data protection authorities (DPAs) do not have to bow down to the European Commission’s decision from the mid ’90s and MAY rule on whether adequate protections are in place – which then have to be referred to the European Court Of Justice, as Max Schrems did.

Another part of the ruling says that disclosures to law enforcement (read this as the NSA, FBI and others) needs to be necessary, proportionate and subject to judicial redress.  Needless to say, that is not what happens today.

It would seem to me that those same rules ought to apply to European surveillance activities, but I don’t think that court directive addresses that.

The US and EU have been working for two years trying to negotiate a new safe harbor agreement and last month initialed a form of agreement, pending the US passing new laws protecting the rights of EU citizens.  Given the ruling today, I assume that this agreement will need to be revisited.

The privacy experts are saying that companies that transfer data between the US and the EU need to start – like tomorrow – looking at their situation with expert counsel and planning the future.

They also point out that this particular judgement ONLY affects Max Schrems lawsuit against Facebook and does not invalidate all other agreements in the world.  It does, however, create a framework or standard for the EU country’s DPAs to assess other lawsuits.

I also expect, now that Schrems has a ruling in his favor, that other lawsuits will be filed.

The United Kingdom data protection authority said that THEY do not plan to shut down the Internet, that people should not panic, etc.

The experts expect that a lot of conversations will begin between the 28 data protection authorities, the European Commission and the United States.

Stay tuned,



strictly necessary, proportionate and subject to judicial redress

EU-US Privacy Safe Harbor May Be In Jeopardy

Max Schrems, whom I have written about before (see post) is continuing his fight against Facebook.  He first took his battle to the Irish Data Protection Commissioner (DPC) since Facebook Europe is based in Ireland, but the DPC declined to take the case, because, it said, it had no legal requirement to do so (meaning this is a hot potato and I don’t want to be associated with it).

Schrems next took the case to the European Court Of Justice in Luxemburg where a decision is expected on June 24th.

The basic argument is that since the NSA, according to Snowden documents, can look at EU resident’s data, the Safe Harbor agreement written 15 years ago is a sham and does not protect EU citizens data that is stored in the U.S.  In general, U.S. companies don’t argue that they have not been able to stop the NSA from looking at their stuff and it appears, some companies may even have cooperated with the NSA, but the U.S. companies business model sort of require that they consolidate the data somewhere and moving U.S. data to Europe doesn’t work for them either.

IF, and it is a big if, the ECJ rules that the safe harbor agreement between the EU and US violates EU law, that will mean that companies like Facebook, Microsoft and Google (and probably hundreds or thousands of other companies)  who routinely take EU data and move it to the US will no longer have a safe harbor to move the data to the U.S. and would be subject to EU privacy lawsuits.  Since EU law is much stricter than U.S. law, U.S. companies do not want this to happen.   I assume they are planning for the worst in case.

The EU and US have negotiating a new agreement for years, but it doesn’t seem like it is making much progress.  IF the court rules the safe harbor provision violates EU law, everyone will get real motivated to come up with a new agreement very quickly, I suspect.

Next chapter comes out on June 24.