In a decision that could have widespread ramifications for all industries, the Court of Justice of the European Union has rejected the U.S.-EU Safe Harbor relied on by thousands of U.S. companies to be able to transfer personal data to the U.S. from the EU without violating EU privacy and data protection rules and directives, deeming it "invalid."
The European Commission's Data Protection Directive requires that countries to which the personal data of EU residents are transferred maintain adequate standards for data protection. The U.S.-EU Safe Harbor Frame was put in place over 15 years ago to enable the transfer of personal data from EU residents to companies in the United States in a manner that will be deemed adequate and in compliance with EU data protection standards. In June 2013, an Austrian citizen, Maximillian Schrems, challenged the transfer of personal data from Facebook Ireland Ltd. to Facebook USA. He contended, in essence, that the laws and practices of the United States offered insufficient protection for data kept in the United States against government surveillance. His argument followed revelations made by Edward Snowden concerning the activities of U.S. intelligence services, including the National Security Agency (the NSA). The EU's Data Protection Commissioner refused to investigate, reasoning that the U.S.-EU Safe Harbor mechanism ensured an adequate level of protection of personal data transferred to the United States.
Schrems sought review of the commissioner's decision by the High Court of Ireland. The Irish court then asked the Court of Justice to determine whether the Safe Harbor barred consideration of Schrems' complaint.
Advocate General's Opinion
In late September, the EU Advocate General issued an advisory opinion in which he observed that the Irish court had proceeded on the basis of two findings of fact. First, that personal data transferred by entities such as Facebook Ireland to its parent company in the United States was capable of being accessed by the NSA and by other U.S. agencies. Second, that EU citizens had no effective right to be heard on the question of the surveillance and interception of their data by the NSA and other U.S. security agencies.
The Advocate General decided that those findings demonstrated that, in his view, the Safe Harbor did "not contain sufficient guarantees" of adequate privacy protections for EU citizens and, accordingly, that it did not satisfy the EU's privacy...