Schrems vs Safe Harbour: what’s it all about?

Q: The ECJ has ruled transatlantic data transfers under the “Safe Harbour” provision invalid. Has Europe’s highest court just broken the internet?

A: No, your Facebook account will continue to work as before. But the rules covering what happens to the data you post have been thrown out. Judges in Europe's highest court in Luxembourg have warned the European Commission that its 15-year old "Safe Harbour" is invalid and should be drained. This was a privilege extended to around 4,500 US companies to expedite data transfers to the US once they self-certify that they will meet levels of protection deemed "adequate" by Brussels. The commission is now is under the gun to find a better deal, because the court found that Safe Harbour violates EU citizens' fundamental rights to privacy and data protection.

Q: How did this fight begin?

A: It began in 2013 when Max Schrems, an Austrian law graduate, heard about Edward Snowden's claims Facebook and other US companies were being forced to make their user data - including EU user data - available to US intelligence.

Q So what did he do about it?

A: He filed a complaint with the Irish data protection commissioner (DPC), which oversees Facebook and many other tech companies with EU and internetional headquarters in Ireland. The Irish DPC ruled that it had no case to investigate as Safe Harbour, and its implementation, was solely a matter for the European Commission. Schrems took a judicial review at the High Court, which in turn asked the ECJ in Luxembourg for clarity.

Q: What did the ECJ judges say?

They agreed with Max Schrems, that the Snowden revelations raise serious concerns about the protection of European citizens’ fundamental rights to privacy and data protection once their data reaches the US. The Safe Harbour provisions as they stand are tilted in favour of US authorities, the judges said, and allow the commission no effective means of policing or intervention.

Q: What did they say about Ireland’s DPC?

A: The judges said the Irish DPC was wrong to dismiss the Schrems case as “frivolous and vexatious”. They said that national authorities, while limited in their ability to act under Safe Harbour, are obliged to at least investigate complaints like that filed by Max Schrems.

Q: What happens now?

The EU and US are now under pressure to find a successor to Safe Harbour that reflects the reality of transatlantic data transfers while respecting EU citizens’ fundamental rights to privacy and data protection. And they need to solve a legal dilemma for companies like Facebook: are they obliged to hand over all data to the US, as the NSA insists, or are they forbidden to hand over EU citizen data, as the ECJ has ruled? The prerequisite for legal certainty is a political deal between Brussels and Washington.

Q: And what does it mean for Ireland and our DPC?

In the words of the Schrems legal team, “the comfortable times are over” for the Portarlington-based authority. All complaints that come over its desk - from Schrems or others - must be investigated fully. If it finds no grounds for concern, the complainant must have a right of appeal in national courts. If the Irish DPC sees the complaint as well-founded, the Dail must provide “legal remedies” to allow the DPC challenge the commission in court.

Q: What happens now?

The ruling goes back to the High Court in Dublin, which will then instruct the Irish DPC to investigate fully the Schrems complaint against Facebook.

Q: Are they any wider consequences?

As well as potential diplomatic turbulence, the ruling could affect ongoing talks for a transatlantic trade agreement. The US was anxious to strike a deal with the EU forbidding any limits on data transfer between the two continents. The ECJ Schrems ruling appears to draw a line through that.