Max Schrems' boomerang hits Europe

The European Court of Justice has sent EU and US legislators and negotiators back to their conference tables with its clear ruling of 6 October against the Safe Harbour ‘blank check’. Cheered up by data protection lawyers and civil society organisations, the landmark ruling in favour of 28-year old Austrian PhD student Maximiliam Schrems has some companies and data protection authorities scratching their heads over how to come up with solutions for the data flow tussle.

For several years, the Safe Harbour Agreement between the European Union and the United States had been under fire for being a paper tiger due to the lack of enforcement and redress available for EU citizens. The agreement forged in 2000 allowed for easy transfer of data of EU citizens to the US once companies had signed up and self-certified to be compatible with or at least adequate with a set of EU data protection standards derived from the 1995 Data Protection Directive.

“Invalid,” now ruled the European Court of Justice. Not only, the Court stated, are US authorities themselves not bound by the Safe Harbour principles. They also continuously obliged companies under Safe Harbour to disregard the standards and adhere to national security laws and decisions.

Safe Harbour not safe

The principles according to the text agreed between EU and US in 2000 “may be limited, in particular to the extent necessary to meet national security, public interest or law enforcement requirements and by statute, governmental regulation or case law that create conflicting obligations or explicit authorizations (...)“ In plaintext: US national security and law enforcement interests always prevail over EU fundamental rights protection.

Redress for citizens was, if at all, limited to private dispute resolution mechanisms inapplicable in disputes related to the legality of “interference with fundamental rights resulting from measures originating from the State.” In the case of the United States, the state is requesting access to all data from Safe Harbour companies, without bothering about principles such as that of necessity. Instead, as revealed by the former NSA-contractor analyst Edward Snowden, one of the first to congratulate Schrems, it just sucked out what data it could.

Not only was the European Commission mistaken in considering the US a safe harbour with adequate data protection level, the European judges decided. They also ruled that Europe’s 28 national data protection authorities had, despite the Safe Harbour Agreement, to hear complaints by individual citizens who felt their rights were violated by the transfers.

Schrems had lodged his complaint over data transfers from Facebook with the Irish Data Protection authority (as Ireland is host to Facebook’s European headquarters), who had declared his claim “frivolous“ and found itself not competent to handle it due to the Safe Harbour agreement. The right of EU citizens to file a complaint is guaranteed in article 8 of the European Charter of Human Rights, though.

Data protection authorities and Commission under pressure

With the ‘blank check’ for data transfers invalidated, a flurry of activities were unleashed in Brussels and the member states to prepare for the post-safe harbour solution.

The 28 data protection authorities in the member states did not, as of today 10 am, start to investigate data transfer practices of companies in their respective jurisdictions, a spokesperson from the French Data Protection Authority (Commission nationale de l'informatique et des libertés - CNIL) said to the Internet Policy Review. Instead a subgroup of the Article 29 Working Party would meet this week, Marine de Baillenx said, and the full body would presumably meet as early as next week.

A ‘safer safe harbour agreement’ was proposed at a press conference on 6 October by European Justice Commissioner Vera Jourova, who was until now in negotiations over a review of the Safe Harbour Agreement.

The proposal was echoed by Christian Borggreen, Director International Policy at the Computer and Communications Industry Association. “We need clear guidance from the Commission and the Data protection authorities,” he said, “and, yes, we need the safer safe harbour.” Borggreen especially wanted to underline that larger companies would be less hurt than smaller ones not able to adapt and use the various solutions now offered to bridge the gap.

For the time being Jourova proposed that companies could rely on data transfers based on a number of other provisions, including binding corporate rules, model contracts and also “derogations”, which are exceptions based on the informed consent of data subjects.

But can users waive their fundamental rights, which they would have to do given that US legislation on national security, including mass data collection, stands?

“The Commission has spoken about binding corporate rules, etcetera, the Article 29 group not yet,” the CNIL spokesperson said. It is too early to say how data transfers would be dealt with in the future, she said.

Victory of the European civil society

“You cannot waive your fundamental rights,” said Renata Avila from the Web Foundation, who welcomed the ruling. The organisation established by Tim Berners-Lee's World Wide Web Consortium called for “new safeguards” to be put in place that would “protect the Web as it should be, a secure and private space where people can start businesses, research confidential topics or just chat with friends without the fear of being subjected to unwarranted government snooping.”  

For Avila the ruling is a push in what she calls a battle for equality. “What we have currently is a discrimination problem in a connected world. So in the US there is one standard of protection for the citizens, and then another for the rest of the world.” In the EU on the other hand, access to the courts is possible for everybody, even somebody without deep pockets, she said.

Joerg Ukrow, Chair of the Board of Directors of the Institute of European Media Law described Schrems' win before the European Court of Justice as proof for the growing influence of civil society for a globalisation bound by fundamental rights. Several times citizens of the Union have become the real guardians of the European treaties and the growing engagement of the European public also has become a driver of the “discourse about how to develop EU law with regard to human rights in a more closely integrated Union.”

The boomerang effect

Ukrow might prove to be right as the ruling of 6 October questions the trend to override fundamental rights for national security exceptions. Neither security in general nor the fight against terrorism in particular justifies the erosion of EU fundamental rights like data privacy.

With EU member states passing broader surveillance legislation, warns CCIA director Borggreen – while in the US there is a push for reform, and EU surveillance cases are pending before the EU courts already, more landmark rulings might be sought after.

After his victory, Maximilian Schrems pointed out that it was not only a victory over the US public-private partnership over surveillance. “At the same time this case law will be a milestone for constitutional challenges against similar  surveillance conducted by EU member states.”