Up until last week when the ECJ announced its decision, it is likely only a small percentage of EU citizens were even aware of the existence of the Safe Harbor agreement, let alone in possession of the detail and relevance of the clause. Following the October 6 decision there is undoubtedly a wider understanding of this agreement, but, for those who have remained blissfully none-the-wiser here’s the rundown; Safe Harbor was an agreement by which companies — not just technology firms — could transfer and store consumer data generated in Europe by EU citizens, on U.S. servers and subject to U.S. regulations.
Dating back to 2000, Safe Harbor was a clause accepting US laws as sufficient to protect the privacy of Europeans. However, thanks to the now notorious whistle-blower Edward Snowden, we have now been availed of this belief. Specifically, Snowden revealed that some firms completely handed out private consumer data to the U.S. government, granting access to great swathes of information they had on file for their customers.
In the wake of Snowden’s revelations, Austrian law student Max Schrems took his existing case — questioning the legality of Facebook’s use of his private data — forward to the Irish data regulator, and this very case has resulted in the ECJ’s seminal Safe Harbor ruling.
Schrems complained to the Irish Data Protection Commissioner that the information he entered into Facebook was being used unlawfully by Facebook’s U.S. parent company once it was transferred to the company’s U.S. servers.
The case was rejected by the DPC who said his complaint was “frivolous and vexatious” and that Safe Harbor protected his rights. The decision, according to some, was not wholly unexpected. Schrems then took his complaint to the Irish courts, which then referred the case to the ECJ in November 2014 under Article 267 of the Treaty on the Functioning of the EU (also known as the Lisbon treaty). After reviewing the case and all details available including those from the Snowden leaks, the Luxembourg-based court ultimately disagreed with the Irish DPC, agreed with Schrems and buried the Safe Harbor clause. Its ruling affects not only Facebook but all firms that collect information in Europe and send it to the U.S.
This ruling, which is not subject to appeal, will of course create a huge amount of work for a large number of companies of all sizes.
One possible result of the ruling that is already being discussed is the installation of major data centres across Europe to allow companies to continue to use the valuable information gleaned from that data. This could be seen by many as a successful development, as it would likely safeguard EU privacy laws, provide a boost to the broader economy through job creation and also aid the expansion of the single EU digital market.
A less positive potential outcome could be that some smaller firms, with little or no budget assigned for these types of legalities, may struggle to find a workable strategy, leaving them unable to use information which is essential to the running of their business.
Data protection and privacy laws are becoming increasingly closely monitored in our ever shrinking, progressively digitalized world. Had the ECJ backed away from making a clear decision on Safe Harbor, then private data and information submitted by European citizens could have continued to be used in a way that is completely unacceptable to many individuals.
The impact from a business perspective is less clear-cut, however, and could lead to major expense and years of wrangling over just how global firms with European hubs, but a U.S. head office or parent company, can send, store and use the massive amounts of important but often sensitive information it collects. Indeed, for technology firms in particular, this ruling is likely to create yet another headache for the single EU digital market, even if — from a legal perspective — it helps to clear up a formerly grey area.
The ruling could also re-ignite plans discussed by German chancellor Angela Merkel in February over the creation of a European communications network that would negate the requirement for emails and other data produced in Europe to pass through the US. The desired result of a “Euronet” would be to tighten data protection laws and ensure EU citizens data remained subject to EU rules, enforced by EU-based workers.
While the myriad potential outcomes of this key, if contentious ruling, will take time unfold, one thing is certain; the ECJ continues to understand the importance of its role in making tough decisions that are required to safeguard the rights of EU citizens and step in where governments and other EU agencies fear to tread.
