EU Court: US Safe Harbor Scheme Invalid
US companies have made a habit in the last several years of locating data centers in Ireland in order to serve European customers. These companies include Google, Microsoft, and, most importantly for this article, Facebook.
Austrian citizen and privacy activist Maximillian Schrems decided to lodge a complaint against Facebook to the Irish Data Protection Commissioner in 2014, citing revelations brought by the Edward Snowden leaks which showed the US had little regard for privacy laws. The Data Protection Commissioner decided not to review the case on the grounds that under a 2000 arrangement, known as the “Safe Harbor Scheme,” the data was adequately protected in transmission to the US.
Schrems appealed the case to the High Court of Ireland, who then referred it to the European Court of Justice, in June, 2014. Now, more than a year later, the ECJ has come out with a high-impact decision: the Data Protection Commissioner acted in error, and must review Schrem’s complaint. But it goes further, by stating that the Safe Harbor Scheme is not valid, essentially because evidence shows that US authorities will allow their law enforcement agencies to prevail over such an agreement, thereby not creating protections consistent with those guaranteed under EU law. Further, domestic authorities must have the right to review complaints by EU citizens, regardless of agreements made with the US, and nothing should prevent that.
From the ruling:
Without needing to establish whether that scheme ensures a level of protection essentially equivalent to that guaranteed within the EU, the Court observes that the scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.
US Privacy < EU Privacy
Essentially at issue here is whether US privacy laws are on par with those of the EU. The sad fact is that while several constitutional amendments create a culture which should be conducive to data privacy, laws passed by the Federal Government and some of its states have given the governments vast new powers over the last several years. Fundamentally speaking, the US has a binding document (the US constitution) which should make it the freest nation on earth, but nevertheless US citizens enjoy less protection from government intrusion than do citizens in far “less free” countries.
Data sharing with countries such as the US is not technically legal under EU law. Facebook and other companies wanting to do business in the EU will now have to re-examine how they’ve been doing it, most likely being forced to set up specific headquarters and new data practices. Individual countries will be able to declare their own regulatory powers over companies like Facebook and Google, rather than deferring to agreements made with the EU at large.
Countries can also force US companies to host data exclusively inside their borders. While this could be good for their economies, that assumption hinges on the idea that the companies will actually comply and do so. In the case of Google versus China, Google wound up just porting Chinese traffic to nearby servers in greater Asia, rather than continue to deal with the Chinese government. For the companies, setting up several new data centers could become an expensive proposition quickly.
In the actual ECJ decision, no framework was outlined as to how long companies should have to fall in line with new regulations. One thing is for certain: EU distrust of the US is at an all-time low, and perhaps for good reason.
Featured image from Shutterstock.