Back More
Salem Press

Table of Contents

Privacy Rights in the Digital Age, 2nd Edition

S

by Katharina Hering

Safe Harbor

Identification: A framework for transatlantic data transfer.

The European Court of Justice ruled on October 6, 2015, that Safe Harbor is invalid because privacy protections in the United States are insufficient, allowing U.S. government authorities to gain routine access to personal information from European Union (EU) citizens stored by U.S. companies. Based on the EU data protection guidelines that went into effect in 1998, transfer of personal data from a member state to a nonmember state may be authorized only if an “adequate” level of privacy protection based on EU standards can be guaranteed. The Safe Harbor framework, developed in 2000 between the U.S. Department of Commerce and the European Commission, however, provided a way to work around these restrictions. The framework allowed U.S. companies to transfer personal data if they committed to a self-certification process to ensure compliance with a set of Safe Harbor privacy principles. Over 4,400 U.S. companies (large companies, such as Google, Inc., Face-book, Inc., Apple, Inc., Microsoft, Corp., Amazon, Com., Time Inc., as well many smaller companies) store data from European customers in the United States. The ruling means that the data protection authorities in individual EU member states are now authorized to review data transfers to the United States on a case-bycase basis.

The case was brought by privacy activist Maximilian Schrems, a lawyer and PhD student from Vienna, Austria, who founded the organization Europe v. Facebook and has challenged Facebook’s inadequate privacy protections for several years. A Facebook user since 2008, he wrote a paper on Facebook’s privacy policies while he was pursuing his legal studies as an exchange student in California. He noted the differences between U.S. and European privacy protections, and in 2011 ventured to get a detailed account of the kind of information Facebook had collected from him over the years. While getting his user information from Face-book was not easy, he persisted, and eventually received a CD from Facebook’s headquarters in California. The CD contained a 1,222 page PDF document that contained all the user data the company had collected about him, including a lot of data he had deleted: wall posts, messages, and email addresses from friends. Aiming for greater transparency from the company and the ability for users to control their own information, he lodged a complaint against Facebook with the Irish data protection agency (Facebook’s European headquarters are located in Ireland). Schrems argued that, in light of Edward Snowden’s revelations about the National Security Agency’s (NSA’s) surveillance program,

U.S. laws do not provide sufficient protections against government surveillance of customer data stored on U.S. servers. The Irish data protection agency rejected the complaint, however, on the ground of the Safe Harbor framework. Schrems then sued the agency in the High Court of Ireland, which subsequently referred the case to the European Court of Justice.

In its ruling, the European Court of Justice followed the opinion of the Advocate General, Yves Bot, which he had delivered on September 23, 2015. The Advocate General of the Court provides an advisory legal opinion on specific legal cases. Bot wrote: “First, personal data transferred by undertakings such as Facebook Ireland to their parent company established in the United States is then capable of being accessed by the NSA and by other U.S. security agencies in the course of a mass and indiscriminate surveillance and interception of such data. Indeed, in the wake of Edward Snowden’s revelations, the evidence now available would admit of no other realistic conclusion. Second, citizens of the Union have no effective right to be heard on the question of the surveillance and interception of their data by the NSA and other United States security agencies.”

In its judgment, the Court wrote, “legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life,” which is guaranteed by Article 7 of the Charter of Fundamental Rights of the European Union. The Court also referred to Article 8 of the Charter, “Protection of personal data,” which guarantees the following: “Everyone has the right to the protection of personal data concerning him or her.” The judgment also cites Article 47, “Right to an effective remedy and to a fair trial.”

Commentators in Europe called the judgment “spectacular, brave, sensational,” and privacy advocates welcomed the ruling as a major victory. Schrems stated on his website: “I very much welcome the judgement of the Court, which will hopefully be a milestone when it comes to online privacy. This judgement draws a clear line. It clarifies that mass surveillances violates our fundamental rights. Reasonable legal redress must be possible.” In contrast, U.S. Commerce Secretary Penny Pritzer stated in response to the European Court of Justice decision: “We are deeply disappointed in today’s decision from the European Court of Justice, which creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy.”

It is not entirely predictable at this point what impact the ruling will have on companies that are transferring personal data between Europe and the United States, and the implementation of the ruling will differ from EU member country to member country. Some commentators predict that it might—in some instances— bring data transfer between Europe and the United States to a complete halt. Others see the decision as largely symbolic and predict that big companies in particular will be able to find alternative methods to allow the continuation of data transfer between Europe and the United States. There is no doubt, however, that the ruling significantly strengthened the work of the data protection authorities in the individual EU member countries and that it advanced digital rights for EU citizens.

Further Reading

1 

Darcy, Shane. “Battling for the Rights to Privacy and Data Protection in the Irish Courts: Schrems v. Data Protection Commissioner [2014] IEHC 213 [2014].” Utrecht Journal of International and European Law 31 (2015): 131–135.

2 

European Union, Charter of Fundamental Rights of the European Union. October 26, 2012. 2012/C 326/02. http://perma.cc/LR4G-U4AY.

3 

Initial response to the decision by the CJEU, Europe v. Face-book website. http://perma.cc/6PRQ-Q2JE.

4 

Judgment in Case C-362/14 Maximillian Schrems v. Data Protection Commissioner [2015]. http://perma.cc/HQW4-JBB9. Case C-362/14 Maximillian Schrems v. Data Protection Commissioner [2015]. Opinion of Advocate General Yves Bot. http://perma.cc/6JDQ-ZS7L.

5 

Mouzakiti, Foivi. “Transborder Data Flows 2.0: Mending the Holes of the Data Protection Directive.” European Data Protection Law Review 1 (2015): 39–51.

6 

Statement from U.S. Secretary of Commerce Penny Pritzker on European Court of Justice Safe Harbor Framework Decision. October 6, 2015. https://perma.cc/6GKFELAL.

7 

Timm, Trevor. “The Snowden Effect: New Privacy Wins Await after Data Transfer Ruling.” The Guardian, October 8, 2015. http://perma.cc/57MX-NBBY.

See also: Amazon; Apple, Inc.; Big data; Facebook; National Security Agency; The Right to Privacy; Snowden, Edward.

Citation Types

MLA 9th
Hering, Katharina. "S." Privacy Rights in the Digital Age, 2nd Edition, edited by Jane E. Kirtley & Michael Shally-Jensen, Salem Press, 2019. Salem Online, online.salempress.com/articleDetails.do?articleName=PRDA2e_0197.
APA 7th
Hering, K. (2019). S. In J. E. Kirtley & M. Shally-Jensen (Eds.), Privacy Rights in the Digital Age, 2nd Edition. Salem Press. online.salempress.com.
CMOS 17th
Hering, Katharina. "S." Edited by Jane E. Kirtley & Michael Shally-Jensen. Privacy Rights in the Digital Age, 2nd Edition. Hackensack: Salem Press, 2019. Accessed May 30, 2026. online.salempress.com.