The Safe Harbor ruling – a victory for privacy activists that spells trouble for business

The keenly awaited ruling in the case of Maximillian Schrems v Data Protection Commissioner was handed down yesterday morning by Europe’s highest court.

As anticipated, the judges found in favour of Schrems, the 28-year-old Austrian law graduate, PhD student, privacy activist and Facebook user responsible for this legal battle with international ramifications. The decision will be as celebrated by privacy activists as it will be resented by transatlantic businesses.

Schrems bought his case in Ireland, the home of Facebook in Europe. His complaint was, following the revelations made in 2013 by Edward Snowden concerning the activities of the US intelligence services and in particular the National Security Agency, that US law offers scant protection against surveillance by the US of the data transferred there.

Schrems wants to prevent US intelligence agencies gaining access to his personal data and his case struck a chord with those concerned with the steady erosion of the ability of the individual to control and make decisions about their personal information; where it exists and to whom it is available.

In yesterday’s decision the judges found that national data protection regulators are able to conduct their own investigations into the adequacy of data protection and that the Safe Harbor decision of 2000, the self-certifying harmonisation regime which has governed cross-border data transfers for the past 15 years, is ‘invalid’ in today’s world.

The ruling charts a victory for individuals in the ongoing privacy battle between citizens and big corporations; it is the third landmark ruling providing EU citizens with greater privacy protection than US counterparts, following Google Spain and Digital Ireland last year. Unlike the Google Spain case, the judges followed the opinion of the Advocate General which has highlighted the growing disparity between the US and EU’s attitude to privacy.

National regulators can now suspend data transfers to the US if they consider that there is inadequate protection. In a post-Snowden world this is hardly surprising; Facebook sends information to its US servers where, as Schrems describes, it is stored in something akin to a ‘black box’. He has compared huge companies like Facebook which store untold reams of personal information to a nuclear weapon that nobody really understands.

The ruling, however, is not such good news for over 4,500 businesses which have relied on now ‘invalid’ Safe Harbor regime to justify data transfers out of the EU for the last 15 years. 

The EU commission will now need to go back to the drawing board. It will need to reconsider its position and powers in consultation with member states. A key issue which will need to be addressed is whether the legality of data transferred using the now invalid ‘Safe Harbor’ will be called into question.

The implications for the likes of Facebook, Google, tech companies and any other company which holds and shares personal information are significant. National regulators can suspend data transfers if they consider there to be inadequate protection. They will need to reconsider their strategies around data transfers; if they have been relying on Safe Harbour alone to justify them then they will need to produce new agreements which are compliant with the Data Protection Directive or obtain express consent.

Facebook and other giants such as Google and Amazon could be forced to set up separate European databases to provide adequate protection to EU citizens.

Julia Wookey is a trainee solicitor at Howard Kennedy