On the 6 October 2015 the European Court of Justice (ECJ) made the Safe Harbor ruling which declared the Safe Harbor Agreement invalid. The ECJ ruled that the European Commission’s trans-Atlantic data protection agreement that went into force in 2000 was invalid because it does not adequately protect consumers’ privacy especially in the wake of the Snowden revelations.
What was the Safe Harbor Agreement?
The 1995 European Data Protection Directive (soon to be repealed by the General Data Protection Regulation) prescribes certain standards that need to be adhered to when transferring EU citizen’s data. Therefore, this ’95 Directive prevents the movement of EU citizens’ data to countries outside of the EU that do not have adequate data privacy protections.
In order to facilitate transport of data between the EU and the US, the European Commission and US government agreed that US would be a ‘safe harbor’ for EU citizen’s data. The Safe Harbor Agreement allowed companies such as Facebook to self-certify that they would protect EU citizens’ data when they transferred it to the US.
The Safe Harbor Agreement allowed for transport of data from the EU to the US despite the conditions in the EU Directive.
Background to the Safe Harbor Ruling
In light of the Snowden revelations, an Austrian called Max Schrems complained to the European headquarters of Facebook (in Dublin). His complaint was about what was happening to his personal data and he applied for an audit of the data Facebook was passing to the NSA.
This application to Facebook was unsuccessful. So, Schrems pursued his claim in the High Court, Dublin. Schrems argued that the transport and collection of data under the Safe Harbor Agreement allowed the NSA the opportunity of mass surveillance of European citizens. The Irish court referred the case to the ECJ.
The Safe Harbor Ruling
In the Safe Harbor Ruling the ECJ held that the Safe Harbor Agreement was invalid. In their view, the Safe Harbor Agreement was not sufficient to prevent mass surveillance by the NSA and access by intelligence authorities to data transferred from Europe.
The ECJ Safe Harbor ruling means that individual European countries can now set their own regulations for how US companies handle EU citizens’ data. The EU has done this by creating the GDPR which entails compliance with various standards by anyone processing or transferring EU citizens’ data. The EU and the US have also agreed to another data transfer agreement called the EU-US Privacy Shield which prescribes greater regulation on the transfer of data from the EU to the US.