The European Court of Justice has today declared invalid the Safe Harbor data-transfer agreement that has governed data flows from European users of U.S. cloud services to the U.S. for processing.
“The Court of Justice declares that the Commission’s U.S. Safe Harbour Decision is invalid,” the ECJ said in a statement today, reported by Reuters.
Some 4,000+ U.S. companies rely on Safe Harbor to operate their cloud businesses in the region. It affects those companies that outsource data processing of E.U. data to the U.S.
The Safe Harbor executive decision dates back to 2000, and allows U.S. companies to self certify to provide “adequate protection” for the data of European users to comply with the European data protection directive.
The rules were already under review by the European Commission, in the wake of the Snowden revelations expose of how U.S. intelligence agencies’ surveillance apparatus was tapping into commercial Internet services.
The ECJ’s judgement is the culmination of a 2013 legal challenge by European privacy campaigner Max Schrems who filed complaints against several U.S. Internet giants in the Irish courts for alleged collaboration with the NSA’s prism program. The Irish courts dismissed the complaint, on the grounds that the European Safe Harbor agreement governed such data flows — referring the case to the ECJ. The latter has now ruled that European data protection authorities cannot rely on the umbrella of Safe Harbor to govern their decisions.
In an initial response to the ruling, Schrems said it “draws a clear line” by clarifying that mass surveillance “violates our fundamental rights”.
His statement reads:
I very much welcome the judgement of the Court, which will hopefully be a milestone when it comes to online privacy. This judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible.
The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it.
This decision is a major blow for US global surveillance that heavily relies on private partners. The judgement makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights.
At the same time this case law will be a milestone for constitutional challenges against similar surveillance conducted by EU member states.
There are still a number of alternative options to transfer data from the EU to the US. The judgement makes it clear, that now national data protection authorities can review data transfers to the US in each individual case – while ‘safe harbor’ allowed for a blanket allowance. Despite some alarmist comments I don’t think that we will see mayor disruptions in practice.
Late last month, the top advisor to the ECJ, Yves Bot, issued an opinion that suggested the court would invalid Safe Harbor.
In a last minute PR scramble in recent weeks as that decision looked likely both the U.S. mission in Europe and Robert Litt, the general counsel from the office of US director of national intelligence, have been attempting to argue that U.S. intelligence operates ‘targeted’ not mass surveillance, despite the dragnet approached detailed in the Snowden documents.
Writing in an article in the FT only yesterday, Litt argued that the NSA’s Prism data harvesting program “does not give the US “unrestricted access” to data”, claiming: “Rather, the US may obtain communications only relating to specific identifiers, such as an email address or telephone number; only if the US believes those identifiers are being used to communicate foreign intelligence information; and only with the legally compelled assistance of communications service providers under the supervision of an independent court.”
Such interventions have clearly failed to sway the court.