The Safe Harbor Framework Is Dead

The European Court of Justice (ECJ) invalidated the principal European component of the U.S.-E.U. Safe Harbor Framework today in Schrems v. Data Protection Commissioner.

As I explained last week, the plaintiff, Max Schrems, sought to challenge features of the Safe Harbor Framework, the set of requirements which U.S. companies can self-certify as having met in order to transfer data freely from Europe to the United States. In particular, Schrems argued that the European Commission’s Decision 2000/520—which stipulated that U.S. corporations complying with the Framework’s privacy principles and notice and opt out requirements had “adequate” levels of data protection—itself violated the European Union's 1998 Directive on Data Protection, and sought to suspend it. Schrems’s underlying rationale was that the Snowden revelations concerning the Section 702 data collection program illustrated that the U.S. offered inadequate data protections.

What did the ECJ decide?

At first glance, the European Court of Justice’s two principal holdings mirror the Court of Justice’s Advocate General’s opinion that I wrote about earlier.

First, the ECJ explained, the European Commission’s judgment that the United States has “adequate” data protections under EU Law does not preempt a contrary finding from EU courts. That said, EU member states’ power is very limited. Only the ECJ can invalidate a European Commission decision (¶61), so as to “guarantee[] legal certainty by ensuring that EU law is applied uniformly.” As a result, EU member states need only “provide for legal remedies” so that their data protection agencies can bring challenges to a Commission decision in a national court (¶65), which can then “refer the case to the Court of Justice [of the European Union] if they too have doubts as to the validity of the Commission decision.” “Thus, until such time as the Commission decision is declared invalid by the Court, the Member States . . . cannot adopt measures contrary to that decision . . . .” (¶52).

The ECJ held separately that the Framework as it exists is invalid. Unlike the Advocate General’s opinion though, which listed a number of deficiencies all closely linked to the recent NSA disclosures, the ECJ made its determination on two fairly narrow grounds. First, “legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications” is facially a violation of the right to privacy under the Charter of Fundamental Rights of the European Union (¶94). Second, the failure to provide citizens a judicially-enforced rights of access, and to delete, personal data “does not respect the essence of the fundamental right to effective judicial protection” under the Charter (¶95). The Court did not hold as a matter of law that the U.S. lacked either of those protections (though it noted that the Commission seemed to believe the U.S. had excessive access to data, and that there was insufficient judicial redress). The main issue was that “the Commission did not state in Decision 2000/520, that the United States in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments” (¶98).

The second flaw with Decision 2000/520, according to the ECJ, is that the EU Commission exceeded its authority in restricting EU member states’ authority to investigate and enforce violations of EU data protection law (¶103). That is, while the individual countries cannot challenge the validity of a Commission decision, the Commission does not have authority to prevent countries from suspending data transfers to countries with inadequate protections under EU law. These two flaws “are inseparable” from Decision 2000/520 as a whole, so the Decision itself is invalid.

Accordingly, the ECJ sent the case back to the Irish data protection authority (to whom Schrems first brought his complaint) “to decide whether, pursuant to [EU law], transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that the country does not afford an adequate level of protection of personal data.”

What does the decision mean?

The opinion does not say anything about a transition period for compliance, but the New York Times reports that the largest U.S. firms already have side agreements with the EU that should give them the ability to continue data transfers for now. Those side agreements, however, are subject to challenge in European national courts. (For his part, former Acting Secretary of Commerce Cameron Kerry predicts a “tsunami” of court challenges).

One tech website suggested that Schrems may push more U.S. companies to encrypt more of their data, so as to placate national authorities. The opinion does not suggest anything along those lines, but national governments still could incorporate that line of reasoning: Encrypting content, after all, might make it impossible for U.S. authorities to access data “on a generalized basis.”

But ultimately it is still hard to predict how national and EU authorities will try to enforce the ECJ decision in the short-run because, as one tech lobbyist put it, “[c]ompanies will be working in a legal vacuum.” Industry insiders are already calling for more guidance on how to act lawfully. That’s hard, because the EU Commission’s decision is no longer controlling and each individual country thus can now enforce EU law on its own. Industry experts suggest that the turmoil will hurt smaller tech companies the most, as the latter lack separate data centers and accordingly are more likely to rely on transferring data back to the United States. As I pointed out last week, that might have some anticompetitive effects.

Meanwhile, every newspaper suggests that the ruling will complicate ongoing EU-U.S. negotiations to update the Safe Harbor framework. That’s probably true; since the Commission can no longer speak for Europe, it has a lot less to bring to the negotiating table. The EU legislature could give the Commission power to preempt national courts (the ECJ just found that it did not in this case), and one can imagine the United States demanding as much.

At the same time, EU member states (and the Commission) might have more flexibility in certifying U.S. compliance. The ECJ’s decision to focus on the Commission’s failure to certify the adequacy of U.S. data protections, rather than independently to find flaws with U.S. rules, might reflect a desire to punt on the latter issue. Going forward, it will be up to national authorities and the Commission to decide whether the U.S. system really gives the government “access on a generalised basis to the content of electronic communications." The DNI General counsel wrote an op-ed disputing that very notion yesterday.

It is too early to say whether U.S. companies will be able to continue their same cloud computing practices in the wake of this decision; they might not be able to. In that respect, the decision almost certainly poses the greatest economic threat to U.S. tech firms in the wake of the Snowden revelations.