New Decision from EU Court of Justice Draws the Curtain on the "Golden Age" of Safe Harbor
Could it be that we will come to look back on the trials and tribulations of the E.U. Safe Harbor regime as a "Golden Age?" Indeed, we may.
Transatlantic e-discovery has taken a direct hit in the ongoing skirmish between the United States and it's European Union partners regrading Edward Snowden's 2013 NSA revelations. In Schrems v Data Protection Commissioner,an Austrian citizen sued Facebook's Irish subsidiary for transferring and storing his, and other E.U. residents, data on servers based in the United States. Still with me?
The Irish Data Protection Commission initially denied the petition on the basis of European Parliament Directive 95/46/EC, and the subsequent implementing regulations, which established the Self Harbor self-certification regime. Yesterday, the E.U. Court of Justice, rejected this deferential posture, stating that:
[T]he existence of a Commission decision
finding that a third country ensures an adequate level of protection of the personal data transferred
cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the directive. [Original emphasis]
But, the decision goes further - much further. After noting that it has exclusive authority to determine whether an act taken by the Commission is, ultimately, invalid, the Court then reasons that U.S. government agencies are not subject to, or guided by, the Safe Harbor provisions, and that private actors may be compelled to eschew their Safe Harbor obligations and representations by U.S. "national security, public interest and law enforcement
requirements." Moreover, in terms of internal E.U. policy, the Court finds that the directive unduly limits the autonomy of national Data Protection Authorities to establish protocols in keeping with their domestic laws. For these reasons, the Court declared the directive invalid.
It likely goes without saying to readers of this blog, but this Safe Harbor certification protocol has become the cornerstone of cross border e-discovery, and the billion dollar vertical such work supports. Five years elapsed between the passage of Directive 95/46/EC, and the adoption of the Safe Harbor regime. This decision now presents the delightful (#Irony) challenge of duplicating this laborious and protracted process in each of the 28 member states. What are your thoughts on this decision? We'd love to hear about them! Use the hashtag #SoLongSafeHarbor