Striking Down the Safe Harbor Agreement
With a cornerstone decision for the future of data transfers and the world's digital economy, the Court of Justice of the European Union, following the proposal of the Opinion of its Advocate General, has declared null and void the Safe Harbor Agreement, the regulatory scheme that governed (digital) data transfers between Europe and the US for the past 15 years. Although this decision may not have been made for the most crucial reasons, nonetheless it is a step in the right direction.
With its latest decision the CJEU marks a turning point in the road towards an updated and realistic regulatory settlement of a primary phenomenon (and, at the same time, a vital field of economic activity) of our times, in Europe, the USA and globally: the transfers of digital data via the internet. These serve nowadays as the cornerstone of the world economy, having gained importance at an erratic pace since about the mid-2000s.
One could persuasively argue that this rate of gaining gravity as an economic activity has resulted in the regulatory framework over data transfers to be dragging far behind and stand obsolete nowadays, compared to the technological standards under which data transfers are currently conducted. This gap between the technological and regulatory status quo regarding data transfers can be traced on both sides of the Atlantic, although it has been empowered and stems from fundamentally different reasons.
As it is widely known, Europe and the US have traditionally had essentially divergent views on privacy, owing to a series of differences in their cultural, political and economic tradition. However, the internet, as the main means of channeling transfers of data (in a digital format) has today established itself as a single digital space of universal dimensions. The most prominent service providers, who facilitate all different kinds of data transfers, such as Facebook, have acquired nowadays a global footprint and outreach.
This defiance of traditional geographic boundaries in the digital world has resulted, especially after the avalanche of Edward Snowden's revelations, in an increasingly louder call for a different, more unanimous regulatory approach of the internet and the things happening on it; primary among these instances is the transfer of personal data, which is most often of a cross-boundary nature. This need is also reiterated by the Advocate General, in thought no. 136 of his Opinion on the case, where he stresses that, in reality, the case under scrutiny, was requesting from the Court to determine whether the Safe Harbor Agreement of 2000 is still valid and, consequently, applicable in view of all the technological change that has occurred since the time of its adoption, as well as the historical facts that have left their mark on the issue of protection of privacy (the Edward Snowden revelations being just the tip of the iceberg).
Since the mid-1990s, when it was voted for and until today, the EC Data Protection Directive, 95/46/EC, has admittedly been the driving force behind EU law's profound effect on the culture about issues such as protection of fundamental human rights, as privacy and private online life, digital anonymity, the privacy of electronic communications etc. However, on the other side, the US has simultaneously emerged as the uncontested champion in the field on internet services, given that the majority of providers of services related to transfer, processing and storage of (digital) personal data are headquartered on US soil.
This distance between regulatory and economic leadership in the field was attempted to be abridged with several bilateral and ad-hoc initiatives, such as the Safe Harbor Agreement. At the time of its conclusion, Safe Harbor seemed to be a persuasive response to the legal gap it was meant to fill up, while, most importantly, it was serving as an immediate solution in bridging the differences between US and Europe, so that the intensifying economic activity in the relevant sectors could continue unhindered.
However, over the course of the years the internet as an economic field has evolved in entirely different ways in comparison to the geographically partitioned legal orders of the real world. At the same time, the threats to the security and privacy of the digital world are also of a cross-boundary nature. Consequently, the devaluation of ad hoc tools, such as the Safe Harbor Agreement, in a status of insufficiency was something of a natural phenomenon.
One should not fail to point out, of course, that the reasons that led the CJEU to such a decision were more a mixture of law and politics than merely a firm stance on application of EU law. On the one hand, both the Advocate General in his Opinion, and the Court in its Decision, taking advantage of the EU provisions that permit the CJEU to go in its deliberation beyond the facts and the primary content of the preliminary questions it is discussing in a case, go several steps further to discuss not just the conduct and decision of the Irish Data Protection Authority into assessing the very validity of the Safe Harbor scheme.
It is true that, if one sticks to the facts put forward by Mr Schrems, it is hardly substantiated that there had indeed been a violation of the privacy and personal data of Maximilian Schrems himself. On the other hand, the newly elected President of the CJEU, Belgian judge and Constitutional Law professor Koen Lenaerts, in an interview with the Wall Street Journal just two days after the Decision on the Schrems case was published, confirmed the rumors that the CJEU does not consider sufficiently justified several initiatives undertaken over the previous years in a series of sectors bilaterally between Europe and the US.
Recently, such initiatives (primary among which was the Safe Harbor Agreement) have been fervently criticized as merely trying to smooth out thorny issues that could impede the intensifying economic activity between Europe and the US instead of settling, in an uncompromised manner, sensitive legal issues, such as sufficient safeguards for online privacy. Judge Lenaerts more or less declared that this leniency of the European Commission and, consequently, of the EU itself, towards American demands has to be terminated and the CJEU, in the context of its competences, will do whatever it takes in the following years to this end.
In conclusion, it is obvious that the internet, its facilitating technologies and the phenomena developed through it call for a more universal regulatory approach and cooperation of legislators unhindered by geographical boundaries. Although the reasons that led the CJEU to such a ground-breaking (but not at all unexpected) decision have been more of a useful pretext than the actual cause of the problem, the Schrems vs. DPD is undoubtedly a step towards the right direction.
The regulation of the internet in Europe, America and worldwide has to be founded from now on a set of minimum common principles that will reflect its boundless nature. For the time being, conditions in Europe or America are probably not ripe enough on a legal and political level for such a step forward. Nevertheless, this is a need already expressed in various ways from a great part of civil society and the economic actors of digital economy. Consequently, it is just a matter of time before laws are revamped to give persuasive answers to a profoundly different reality.
Xenofon Kontargyris is a PhD researcher on Cloud Computing Regulation at the University of Hamburg Faculty of Law, AMBSL Graduate School.
- Atlantic-Community.org in Transition
- Towards a More Inclusive Transatlantic Partnership: Update on the 2nd Atlantic Expedition
- Topic of the Month: The Future of Health Care
- Do We Need Data Donations?
- eHealth - Tele-Monitoring and Tele-Medicine - Digital Innovation in the Life Science Sector in Germany