Following on the recommendation of European Court of Justice Advocate General Yves Bot in the Max Schrems case, Brookings TechTank reports that the “European Court of Justice (ECJ) issued a ruling on October 6 that struck down the U.S.-EU Safe Harbor Agreement, which established a set of privacy protection rules for companies that transfer customer data between European Union and the United States.”
“The Max Schrems case concerns the Irish Data Protection Commissioner’s decision not to investigate a complaint made by Schrems regarding the storage by Facebook of its EU subscribers’ data on servers in the U.S. More broadly, the case questions the adequacy of the U.S.-EU Safe Harbor scheme. In his 23 September 2015 opinion, the Advocate General determined that national data protection authorities are not prevented from investigating and reaching an independent decision from the European Commission decision underlying Safe Harbor. As such, the Irish Data Protection Commissioner had no legitimate basis to refuse to investigate the complaint made by Max Schrems.”
“The Advocate General considered that the finding of adequacy by the European Commission in connection with Safe Harbor should be declared invalid since the existence of a derogation (which allows the principles of the Safe Harbor scheme to be disregarded for national security reasons) prevents Safe Harbor from ensuring an adequate level of protection for the personal data which is transferred from the EU to the U.S. In addition, in the view of the Advocate General, there is no U.S. independent authority capable of verifying that the implementation of the derogations from Safe Harbor by, for example, U.S. security agencies is necessary because neither the FTC nor any private dispute resolution body has the power to monitor such possible breaches.”
Alex Loomis provides a brief explainer on the U.S.-EU Safe Harbor framework and the ECJ’s determination: “In short, the safe harbor is a patchwork, woven of European and U.S. law, which establishes a mechanism for covered U.S. companies to assert compliance with EU data privacy regulations… In 2000, the European Commission published Decision 2000/520, stipulating that American companies that comply with the framework would have ‘adequate’ levels of data protection, for purposes of the Directive, and further that all EU member states were to respect the Commission’s ‘adequacy’ determination… It effectively eliminated the need to get prior approval before transferring personal data from the EU to the United States, and left enforcement of privacy norms regarding that data to be conducted primarily in the United States.”
The Financial Times looks at the impact of the ECJ ruling on U.S. companies.
“The US tech industry reacted angrily to the ruling. Internet companies such as Amazon and Facebook, as well as IT companies including IBM and Salesforce that run cloud services for businesses, raced to change the legal footing of their businesses to avoid breaking the law… Many of the biggest companies had drafted new legal terms of service for their customers in the hope that they could carry on their current practices without risk of regulatory attack, though lawyers warned that much would depend on how national regulators in Europe interpreted their new powers… Big tech groups insist they can weather any changes in the law but say smaller businesses lacking established European divisions may suffer… One tech lobbyist said, however, that the ruling had taken a ‘sledgehammer’ to Brussels’ plans to introduce a single market for online goods and services.”