In a move that could cost the EU up to 1.3 percent of its gross domestic product, according to the American Chamber of Commerce to the European Union, on Oct. 6 the European Court of Justice invalidated the 15-year old EU-US Safe Harbor Agreement in Schrems v. Data Protection Commissioner, causing some consternation among the more than 5,000 European and U.S. firms that rely on the Agreement to transfer EU data to U.S. servers. Given its potential impacts this case is important to consider on its own merits, but it should also be read as another step in a growing rift between the EU and U.S. not only on privacy law, but also the future of Internet governance itself.
The case was brought by an Austrian law student and civil rights advocate, Maximilian Schrems, who sought to challenge Facebook's international data transfers from Ireland (where Facebook's European subsidiary is headquartered) to the U.S. arguing that this practice infringes his privacy rights due to the potential for U.S. government surveillance. The Irish Data Protection Commissioner rejected Schrems' complaint on the grounds that the European Commission had already decided that the U.S. ensured an adequate level of privacy protections. Schrems appealed that decision to the Irish High Court, which referred the dispute to the European Court of Justice.
At the heart of the case was the Safe Harbor Agreement negotiated between the EU and U.S. in response to the 1998 EU Data Protection Directive (DPD), which in part prohibited the transferring of data on EU persons to non-EU nations that do not maintain "adequate" privacy safeguards. The agreement left U.S. firms (many of which then, as now, are global tech leaders) in a difficult position given that, until the Safe Harbor Agreement was finalized, U.S. privacy law was found to be inadequate. Still, it was largely successful at easing transatlantic data flows, at least until the 2013 revelations by Edward Snowden. These resulted in 13 recommendations by the European Commission for revising Safe Harbor, and set the stage for the Schrems.
In its Schrems decision the ECJ noted that carve outs in the Safe Harbor Agreement -- such as for U.S. national security, public interest, and law enforcement -- opened the door for bulk data collection including the NSA program codenamed PRISM. This reasoning led the ECJ to hold that: (1) the U.S. bulk collection of personal data violated the privacy rights of EU citizens and (2) that EU citizens were not afforded the opportunity to challenge these U.S. practices, compromising their right to judicial review. Ultimately the ECJ decided that no amount of self-certification could get around U.S. surveillance practices, which were found to be irreconcilable with EU privacy law (even though the USA Freedom Act, passed prior to the Schrems ruling, outlaws the kind of bulk data collection that this ECJ decision says violates the DPD). It also found that the ECJ alone has the power to decide whether or not European Commission decisions on the privacy practices of other nations are valid.
Looking ahead, there are two principle options, each involving uncomfortable consequences for Europeans. First, either the Irish or EU Data Protection Commission could determine that U.S. privacy law is, in fact, adequate and in so doing make this issue go away. Similarly, the new EU-wide General Data Protection Regulation, which is slated to override the DPD, could address data transfers with the U.S. However, these options do not address the ECJ's core concerns in Schrems, particularly bulk data collection and the need for more robust judicial review to help protect the privacy rights of EU persons. Consequently, the second option is for the European Commission and national governments to negotiate an alternate to Safe Harbor before global supply chains generally and social networking, e-commerce, and cloud service firms in particular are adversely affected.
If none of these options comes to pass, then costs will mount, both financial and, perhaps surprisingly, privacy. European and U.S. companies will have to rely on expensive and time-consuming model contracts or other agreements to continue transatlantic data transfers. Moreover, there is the risk that this new policy could, in fact, hurt the privacy of EU persons given the fact that the National Security Agency has fewer restrictions on conducting surveillance overseas (including on foreign data centers) than it does within the U.S.
More broadly, Schrems demonstrates the extent to which privacy is both a vast and culturally relative concept encompassing (among much else) freedom of thought, of bodily integrity, solitude, and freedom from surveillance. Countries around the world draw the line between privacy, freedom of expression, and national security in varied ways that flex as perceived national emergencies rise or fade. As Professor James Whitman has argued, and as Schrens demonstrates, "in the law of privacy . . . the contrast between Europe and the United States is stark and is growing starker." Aside from data protection, this trend may be seen in differing conceptions over what counts as "news" and the "public interest," as well as who "public figures" are and what privacy rights they should enjoy.
Likewise, this case highlights contrasting EU and U.S. views on Internet governance, particularly with regards to territoriality. The EU has sought to keep data on EU citizens within its territorial borders and is, in some ways, pushing for a region-centric vision of Internet governance with ramifications for global cyberspace. This movement may be seen as an extension of the 2001 case in which French litigants sued Yahoo! to force it to remove Nazi items from yahoo.com. The firm defended the lawsuit by arguing that, if upheld, it would essentially make French law into international law. However, the French court rejected Yahoo!'s impossibility argument, undermining assumptions about a borderless Internet and demonstrating the extent to which rulings can ripple across cyberspace.
Ultimately a rekindled multi-stakeholder dialogue is needed to help clarify global privacy standards and flesh out the right to privacy mentioned in both the 1948 Universal Declaration of Human Rights and the 1966 International Covenant on Civil and Political Rights (ICCPR). This could take the form of an additional protocol to ICCPR of the kind now being pursued by the German government, a draft of which was approved by the International Conference of Data Protection and Privacy Commissioners. Such efforts could help narrow the widening transatlantic rift and build a common vision of privacy rights in the digital age.
Scott Shackelford serves on the faculty of Indiana University where he teaches cybersecurity law and policy. He is also a senior fellow at the Center for Applied Cybersecurity Research, a National Fellow at the Hoover Institution, a Visiting Scholar at Stanford Law School, and a term member of the Council on Foreign Relations. This post was also published by Columbia Law School here. Indiana University recently hosted a discussion on transatlantic data privacy at its new IU Europe Gateway office in Berlin.