Last October 6th, the ECJ finally came to a decisive episode of the Safe Harbor saga, by ruling the invalidity of a system that provides a totally inadequate level of protection of european citizens’ data. Max Schrems warmly welcomed the ECJ ruling and, in his first official response to the judgement, called in to question the precious key role played  by Edward Snowden. The latter, American whistleblower currently living in Russia, let the entire world know about the mass surveillance programs set up by the American NSA, targeting also EU citizens. The other, Austrian citizen, gave to all the European citizens the concrete possibility to have their fundamental rights of privacy and data protection defended, by filing a complaint before the Irish Data Protection Commissioner two years ago. “Congratulations Max Schrems. You’ve changed the world for the better” Edward Snowden wrote in a tweet.

The ECJ ruling of this week, does not conclude the whole judicial procedure, that will pass again before the Irish High Court, but constitues a huge step towards the realization of a really safe harbor for the transatlantic exchange of personal data. “The judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights”, Schrems affirmed.

Everything we do online generates data or requires their uploading on the network: credit card data, pictures, personal information. The digital world is mainly dominated by American companies such as Google, Facebook, Amazon, Microsoft. All the data are collected and stored in the servers of the companies whose software are based in the US. The simple transfer of data turns out to be cheaper than the building of independent servers in Europe. The Safe Harbor agreement constituted a special agreement aimed at facilitating the process of transfer towards the US, given the huge volume of data exchange.

The ECJ ruling, confirming and giving a binding value to the conclusions of the Advocate General delivered on September 23h, stated that the Safe Harbor system breaches with the root principles of the European state of law.

15 years have passed and things evolved

The Safe Harbor system was finalized by the Commission in the year 2000 and over the years things have partially changed.

First, with the entry into force of the Lisbon Treaty, the European Charter of Fundamental Rights acquired the status of primary law. Thus all the EU legislation, including the executive decision of the Commission on Safe Harbor, is subject to the principles and the rights laid down in the Charter. Among them it is necessary to highlight for this specific case, art. 7, 8, and 47, stating the principles of respect for private and family life, protection of personal data and right to an effective remedy and to a fair trial.

Secondly, it is necessary to remember the evolution of the American law enforcement and national security policy towards a more interventionist approach that is  particularly embodied in the provisions of the Section 2015 of USA PATRIOT Act of 2001, and the amendments of the Foreign Intelligence Surveillance Act (FISA) of 2008.

Things changed, thus modifying “all the circumstances” that according to art. 25 of the Directive 95/46 have to be considered by the Commission in order to assess the required adequacy of protection. Despite this and the initial criticism expresses by the European Parliament and the Art.29 Working Party, as well as a scientific implementation study undertaken by the Commission in 2004 that raised some uncertainties, the guarantees and the principles of the Safe Harbor scheme remained untouched.

The sentence in few words

The Safe Harbor system provides derogations to the compliance to privacy principles for national security purposes, public interest and law enforcement requirements. The definition of “national security”, was one of the critical point of the plaintiff’s complaint and the Court observed that the Safe Harbor scheme, in the light of the general nature of the derogations it provides, “enables interference … with the fundamental rights of the persons whose personal data is or could be transferred from the European Union to the United States”.

The interference with fundamental rights, even though authorized by the rule of law and put in place in order to pursue legitimate objectives, does not fall under any principle of limitation and does not comply with the principle of necessity. “Legislation is not limited to what is strictly necessary where it authorizes, on a generalized basis, storage of all the personal data … without any differentiation, limitation or exception … and without an objective criterion being laid down by which to determine the limit of the access to public authorities to the data and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference”. There is no strictly necessity, nor clear and precise rules on the scope and application of the measures creating such interferences.“The legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect of private life”.

Moreover, the Court remarked the clear lack of any “possibility for an individual to pursue legal remedies” to be able to access data, obtain their ratification or erasure: a clear violation of the right to an effective judicial protection.

The Court, always in line with the General Advocate conclusions, stated also the competence and the power of national supervisory authorities to investigate and examine whether the transfers of data comply with the provisions of the Directive 95/45, even if the Commission assessed the adequacy of the level of data protection in third countries. The executive decision of the Commission can not eliminate nor reduce the power of those authorities, in light of their independent character and of the role they are entitled to.

Fundamental rights win

The sentence came despite an open disagreement on the General Advocate opinion was expressed by the United States and some concerns were raised by the commercial and high-tech world, that launched a desperate call to prevent the possible disruption of transatlantic data flows.

The Court recognized the supreme nature of the fundamental rights and freedoms laid down in the Charter by confirming once again the line of its recent jurisdiction in the field. In this way it marked an important victory of the fundamental rights over the profit and the businesses, that have been using the Safe Harbor system for many years thus not providing the necessary protection of data.

What about Security? “The CJEU decision on SafeHarbor can’t strike FAA702 off the books in the US, but it shows it does not comport with international law” Edward Snowden declared through twitter. It is true. The ruling of the ECJ does not have any kind of value nor direct effect on the US rules of law as remarked by Commissioner Juorova, “We still do not have jurisdiction on the American soil”.

The sentence however is likely to have great impact and to raise debates, not only on the other part of the ocean, but also on the European soil: only last September 30th the French Parliament was called by a letter signed by 31 civil rights groups to reject a draft proposal defined by EDRi as a “mass surveillance Bill”. The bill was approved the day after.

This, while great concern is raising about a draft that the Finnish Government is currently preparing and that, always according to European Digital Rights “will grant the military and the Finnish Security Intelligence Service (Supo) the authority to conduct electronic mass surveillance for military and civilian intelligence purposes”.

The Netherlands, on its side, concluded an online consultation undertaken by the government on a proposal aimed at increasing the surveillance powers of the intelligence services and extending them to tax authorities. The good Europe of fundamental rights should keep an eye also on its own land!

EU – USA: different approaches in the field of data protection and relations at risk

Despite the trust among the united States and the European Union seemed to be recovered after the finalization of the “Umbrella Agreement” for the protection of data in the field of law enforcement cooperation last September, things are back to the starting point.

It is the second time that the ECJ strikes down american private companies practices in the field of data protection and imposes them the respect of data protection and right to privacy. It already happened in May 2014 with the sentence on Google Spain case.

“You have to see this as the beginning of an all-out attack on the way US companies and the government collect data in Europe”. Those the words of Jeff Chester, an American privacy campaigner, reported by the Financial Times on October 7th. Rulings such as those have a certain influence on the transatlantic relations: high-tech giants and security are things that matter a lot in the United States.

At the core center of the whole question lays the deep difference among the European and the American approach with regards to data protection and privacy. The United States holds a more liberal tradition in this field and especially it more easily concedes derogations in terms of data protection and right to privacy for reasons of national security. This liberal approach was strengthened particularly after the launch of the “war on terror” under Bush administration and went forward during the following years. The power of the Security services increased and the extent of their actions and scope expanded till the set up of a legal framework that today is accused to have been furnishing the base for mass surveillance programs.

Europe, form its side, always showed to be more cautious in the field, setting up rules offering higher standards of guarantees and preservation in terms of data protection and respect of privacy.

On one side there is the always increasing need of security, apparent or real, of the United States holding legal instruments that allow to “target any non-US citizen or non-US legal resident located outside the territory of the US for surveillance” and for “any tangible things”. On the other side, Europe can not so easily depart from the principles of the European Charter of Human Rights. A Charter that constitutes the most similar thing to a constitution that the EU holds.

A central question that has always been critical and will continue to be such, consists in the exigence of finding an acceptable compromise among two partners that endorse different logics and thus draw up and follow different sets of rules and that at the same time hold very strict relations in terms of economy, commerce, law enforcement.

A compromise capable to satisfy two exigences ( security and right to privacy and data protection) sometimes seen as contrasting principles, even though they actually constitute complementary imperatives laying at the root basis of democratic systems. The question then, gets even more complicated when the interests of business and private industry are directly involved.

An important added value has to be taken into consideration now, for the assessment of the already enough complicated picture. The EU Commission was already called by the EP, by experts, lawyers and activists of the civil society to negotiate higher standard of protection with the US. Now, the judicial character of the statement imposes a stronger imperative for the establishment of new safer rules that necessarily have to comply with the fundamental rights of the Charter.

Therefore, the margin of action of the Commission results to be somehow reduced, since it won’t be able to make too generous concessions to the American partners in terms of privacy and data protection guarantees. Not any more. As a matter of fact, this turns out to be a totally positive aspect on the European side, since the ruling strengthens the Commission’s hand within the process of negotiations of the new Safe Harbor system.

Higher standards of protection will have to be ensured by the US if the new special system for the exchange of data wants to be finalized. Lot of pressure is put for the rapid conclusion of the negotiations also in light of the finalization of the TTIP.  The Commissioner Jourová however, remarked that there won’t be any finalization before the achievement of “satisfactory results”.

What will the United States be disposed to do and to concede now?

The process of negotiations, expected to be fulfilled by the end of last summer, for obvious reasons turned out to be very much critical on the principles regarding the access to data by US Authorities (Recommendations 12 and 13). The delay risks to get worse now and negotiations to be stuck.

For now and from the strong declarations made after the General Advocate opinion, the impression is that the US won’t easily give up. On September 29 the US government responded to Bot’s conclusions arguing that the findings of the opinion were based on unreliable information and complaining the lack of a real investigation of the facts. This position was remarked once more the day before the judgement, in a declaration by Robert Litt, general counsel of the Office of the Director of US National Intelligence, published by the Financial Times. “The decisions of judicial bodies should be informed by accurate information. Prism is focused and reasonable. It does not involve ‘mass’ and ‘unrestricted’ collection of data, as the advocate-general says”.

Some reactions

Few hours after the delivery of the judgement the US Secretary of Commerce, Penny Pritzker declared: “We are deeply disappointed in today’s decision from the European Court of Justice, which creates significant uncertainty for both US and EU companies and consumers, and put at risk the thriving transatlantic digital economy.” About 4500 companies subscribed and exchanged data necessary for their business under the Safe Harbor scheme.

Le Monde of October 8th judges the reaction of the US as a “cris d’orfraie”, a proper disproportionate reaction! “A country that openly claims its right of judicial extraterritoriality can not reasonably be surprised that a european jurisdiction wants to apply its proper rules on its own soil.”

Great disappointment however, was expressed also by BSA The Software Alliance and by Digital Europe for the “immediate harm to Europe’s data economy” as well as the “negatively impact [on] countless consumers, employees and employers” the judgement creates.

All the business world urged the Commission and the US government to finalize the new agreement as soon as possible since a new legal base is strongly needed from both the parties, as well as for companies and consumers.

It is evident and understandable, to some extent, that on both the Atlantic sides companies are deeply concerned about the post-ruling situation. The implications are real and engage private companies with their daily economic and commercial dynamics in an extremely politicized issue. An issue that is about the definition of the extent to which security systems can access personal data and that have to be solved in a framework of negotiations among governments.

The Commission, in a conference press delivered by Vice-President Timmermans and Commissioner Jourová clarified that it is already at work. “Data flows constitute the backbone of our economy” and the jugement leaves great legal uncertainties, that urged to be immediately recovered as remarked also by the General Director of Business Europe.

What happens to data flows? Alternative means of transfer for now!

The value of the ruling, as clarified by some experts of the Commission, is retroactive thus invalidating all the transfers undertaken under the Safe Harbor along the past 15 years.

Safe Harbor system was set up for a “good reason” the Commissioner affirmed, by adding:“transfer among companies across the Atlantic ocean can continue” relying on alternative legal mechanisms provided by the EU law: standard data protection clauses in contracts between companies, as well as binding corporate rules for transfers within a corporate group.

Moreover, EU data protection rules include derogations under which data can be transferred: the performance of a contract, important public interest grounds, the vital interest of the data subject and the free and informed consent of the individual.

Instruments and means of transfer thus exist but potential adverse consequences have to be avoided, especially with regards to the National Authorities role that has been clarified by the sentence.

By stating the invalidity of the decision and the inadequacy of data protection in the United States, the ECJ calls directly into question the role of National Data Protection Authorities that will have to examine all the complaint submitted to them, by taking into consideration the stated “inadequacy” of the american partner.

The central question is that without Safe Harbor Europe steps back to 28 different regimes. A concrete risk of fragmentation arises and the Commission remarked that one of its current priorities is to guarantee a coordinated european approach.

For this, it announced it already started to work in close cooperation with the art.29 Working Party in order to define guidelines and offer assistance and information, not only for business but also to National Authorities so that a coordinated response at the EU level can be provided. It is necessary to explain in clear words what the ruling does mean and to provide uniform interpretations and lines of action in order to manage the practical enforcement of the ruling.

On October 8th a first technical round table was organized and further meeting are expected next week. Moreover, the art.29 Working Party by warmly welcoming the ruling, announced that an extraordinary plenary meeting will be shortly scheduled.

The European Commission attitude at the center of the debate

The Commission, already called by the Parliament to suspend the Safe Harbor scheme one year and a half ago, refused any accusation of responsibility. During the press conference delivered by Vice-President Timmermans and Commissioner Jourová, the ECJ ruling was presented not as a hard blow to the credibility  and the position maintained by the Commission, but more as reinforcement: “I see this is a confirmation of the Commission approach in the negotiations going on with the US for a new agreement”, Timmermans said.

Despite he affirmed also that “the Court did no way contested the role and the position of the Commission”, to some extent the Commission was actually directly called into question by the Court. “The Commission was required to find that the United States in fact ensures … a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU … The Court observes that the Commission did not make such a finding”.

As we have already seen, things have changed quite a lot during these 15 years and the Commission only decided to reform the system after E. Snowden revelations in November 2013.

Was this really enough? It does not seem to be the case according to the Parliament reactions, and indeed, despite the Commission already started to recover the Safe Harbor scheme, we find now in a situation of legal uncertainty that may have been prevented.

Strong criticisms indeed came from the Parliament immediately after the ruling. “The Commission has to change its plans … We’ve been telling her [Commissioner Jourová] that the Safe Harbor is not safe. She now must come to us and tell us concrete plans”, Claude Moraes, Chair of the LIBE committee of the European Parliament, affirmed in a press release.

The voices of Jan Philipp Albrecht (Green) and Sophie in’ t Veld (ALDE) were heard very strong. “The European Parliament has called for the repeal of Safe Harbor. Legal experts have called for the repeal of Safe Harbor. Now the highest court in the European Union has declared Safe Harbor invalid. Will the Commission finally understand it has been pulling a dead horse by insisting it can make Safe Harbor work?”  Those the words of in’ t Veld, who continued: “We can not always expect judges to repair sloppy legislative work by politicians looking for easy and popular measures”.

Also the S&D group position, expressed by Birgit Sippel, underlined the fact that some action should have been undertaken by the Commission well before.

The MEPs urged for the finalization of a new legal basis for the exchange of data with the US, providing the necessary enforcement measures, also in light of the efforts Europe is making to move towards the constitution of a digital market, with data exchange laying at its basis. “As politicians we need to work on concluding a set of international standards that allow the transfer and storage of data whilst empowering people to control how their data is used”, Timothy Kirkhope (ECR) said.

The ALDE group on October 8th sent a letter to the Commission, inviting it to “engage immediately with US authorities for a prompt and effective response”.

The Commission is also called to assess the implications of the ECJ ruling on other projects the EU is currently dealing with such as the Data Protection Reform, the EU PNR system and the EU-US Umbrella Agreement. The Parliament already claimed for a legal opinion on the text of the agreement finalized with the US in September. The MEPs may ask for further advises and intensify the control of the guarantees and the protections provided by the texts currently on the table. The will to finalize all this project before the end of the years is often heard in Bruxelles: will it really be possible on the wake of this ruling?

As it happens quite often in the European inter institutional game, it is the ECJ that through its judgements make more politics than actually the institutions do in their ongoing debates and disputes. This has been a great victory by a european citizen who has succeeded to  put a milestone in the direction of a more rationally conceived policy.

Multiple challenges have to be faced. A lot of uncertainty still dominates  few days after the ruling not only about its concrete consequences, but especially on how the relations with the US will evolve.

Paola Tavola

For further information

-. Is the Safe Harbor paradox nearly coming to an end? the Advocate General of the ECJ states the invalidity of the EU-US decision at the basis of commercial data exchange. Will the Commission still ignore the parliament calls for the suspension of the system? http://europe-liberte-securite-justice.org/2015/09/27/is-the-safe-harbor-paradox-nearly-coming-to-an-end-the-advocate-general-of-the-ecj-states-the-invalidity-of-the-eu-us-decision-at-the-basis-of-commercial-data-exchange-will-the-commission-still-igno/

-. EJC Judgment in Case C-362/14 Maximillian Schrems v Data Protection Commissioner http://curia.europa.eu/juris/celex.jsf?celex=62014CJ0362&lang1=it&type=TXT&ancre=

-. Press Release, The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf

-. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (EN) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML (FR) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:fr:HTML

-. Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (EN) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML (FR) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:FR:HTML

-. The US legal system on data protection in the field of law enforcement. Safeguards, rights and remedies for EU citizens http://www.europarl.europa.eu/RegData/etudes/STUD/2015/519215/IPOL_STU(2015)519215_EN.pdf

-. First Vice-President Timmermans and Commissioner Jourová ‘s press conference on Safe Harbour following the Court ruling in case C-362/14 (Schrems) http://europa.eu/rapid/press-release_STATEMENT-15-5782_en.htm

-. Communication from the Commission to the European Parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens andCompanies Established in the EU http://ec.europa.eu/justice/data-protection/files/com_2013_847_en.pdf

-. Statement from U.S. Secretary of Commerce Penny Pritzker on European Court of Justice Safe Harbor Framework Decision https://www.commerce.gov/news/press-releases/2015/10/statement-us-secretary-commerce-penny-pritzker-european-court-justice

-. ECJ strikes down beleaguered Safe Harbour data sharing with US http://www.euractiv.com/sections/digital/ecj-strikes-down-beleaguered-safe-harbour-data-sharing-us-318259

-. Digital Europe’s reaction to the CJEU Judgement in the case Maximillian Schrems vs Data Protection Commissioner (Case C-362/14) http://www.digitaleurope.org/DesktopModules/Bring2mind/DMX/Download.aspx?Command=Core_Download&EntryId=1023&PortalId=0&TabId=353

Jan Philipp Albrecht, EU court safeguards fundamental right to data protection http://www.greens-efa.eu/data-protectionfacebook-14563.html

-. Timothy Kirkhope, Safe Harbour ruling highlights the need for an international framework for data http://ecrgroup.eu/news/safe-harbour-ruling-highlights-the-need-for-an-international-framework-for-data/

-. « The USA must finally respect EU data protection standards, » S&D MEPs on data protection ruling (EN) http://www.socialistsanddemocrats.eu/newsroom/usa-must-finally-respect-eu-data-protection-standards-sd-meps-data-protection-ruling (FR) http://www.socialistsanddemocrats.eu/fr/newsroom/%C2%AB-les-usa-devront-enfin-respecter-les-normes-de-protection-des-donn%C3%A9es-de-l%E2%80%99ue-%C2%BB-commentent

-. Letter to Commission on Implications ECJ Safe Harbor Ruling http://sophieintveld.eu/letter-to-commission-on-implications-ecj-safe-harbor-ruling/

-. ALDE Group calls for immediate repeal of Safe Harbour http://www.aldeparty.eu/en/news/alde-group-calls-immediate-repeal-safe-harbour

-. Viviane Reding, Ruling of the EU Court of Justice on “Safe Harbor”: It is a kick-start, not a grinding halt. The Court confirms what I declared in 2013 (EN) http://www.eppgroup.eu/press-release/%E2%80%9CSafe-Harbor%E2%80%9D:-It-is-a-kick-start,-not-a-grinding-halt.– (FR) http://www.eppgroup.eu/fr/press-release/Safe-Harbor:-C’est-un-coup-de-fouet,-pas-un-coup-d’arr%C3%AAt

-. Art. 29 Working Party press release http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2015/20151006_wp29_press_release_on_safe_harbor.pdf