The Safe Harbor agreement between the European Union and the United States permitted American businesses to import personal data of EU citizens based on self-certification of compliance with EU data protection laws. Safe Harbor was widely criticized in Europe as being too easily circumvented, too infrequently enforced and offering too little protection to the personal data of EU citizens.
Edward Snowden's 2013 claims that the U.S. National Security Agency was collecting vast quantities of personal data of foreign nationals provided to it by Internet companies dramatically escalated EU criticisms of Safe Harbor. Snowden's revelations led European data processing authorities ("DPAs") and EU representatives to insist on negotiations to strengthen Safe Harbor if termination of that agreement by the EU was to be avoided. While those negotiations slowly proceeded, the EU Court of Justice ("EUCJ") heard a claim by an Austrian activist, Max Schrems, alleging that Facebook - a Safe Harbor participant - violated the privacy rights of EU citizens by giving their personal data to the NSA. On October 6, 2015 the EUCJ concluded in its Schrems decision that the Safe Harbor agreement failed to protect Europeans from unlimited and indiscriminate collection, storage and review of their private information, and thus was invalid.
The EUCJ also declared that a national DPA is obliged to challenge decisions of the European Commission that approve agreements such as Safe Harbor, and now the Privacy Shield, when their investigations lead them to believe that an agreement with a non-EU country fails to protect privacy rights of their citizens. With that holding, the EUCJ's ruling removes the legal certainty that Commission approval of agreements negotiated with key trading partners can be relied upon before expensive practices and procedures are implemented to comply with their terms.
Response to Safe Harbor's Demise - The Privacy Shield
The Schrems decision caused great concern among the U.S. businesses that were relying on Safe Harbor for their flow of data from Europe, and created political pressure on the U.S. and EU agencies already negotiating revisions to that agreement. Moreover, the Article 29 Working Party ("Working Party")- an independent and enforcement-oriented advisory body on data protection comprised of representatives of the data protection regulators of all 28 of the member states - had adopted an aggressive posture on the effect of Schrems on the...