The Rise and Fall of the Safe Harbor Privacy Treaty

Implemented by the European Union (EU) in 1998, the Data Protection Directive (Directive 95/46/EC) required member states to establish a personal data protection law regarding personal data processing and transit across borders. It also mandated that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.” Additionally—perhaps understanding that countries outside of the EU, like the United States, might never establish an equivalent privacy law—the directive authorized the transfer of personal data only to countries that offered an “adequate level of protection.” Recognizing privacy as a fundamental human right, the European Commission (EC) ruled on whether or not a country met this criterion before allowing them to process the personal information of EU data subjects. As the EU’s executive arm, the politically independent EC performs several functions that include shaping the EU’s overall strategy, initiating proposals for laws and policies and monitoring their implementation, and developing international trade relationships.

To comply with the directive and achieve adequacy, the U.S. Department of Commerce (DOC) negotiated the Safe Harbor agreement with the EC that allowed U.S. companies to transfer personal data from the EU to the United States. The agreement also allowed U.S. businesses to voluntarily self-certify adherence to several data privacy principles via the DOC. Effectively, the Safe Harbor agreement was a legal mechanism for transferring EU personal data that prevented EU national data protection authorities from reviewing or challenging those transfers. While utilized by businesses for over a decade, the Safe Harbor agreement failed to meet the EU’s privacy protection standards.

In 2013, former American intelligence contractor Edward Snowden leaked National Security Agency (NSA) documents conveying that U.S. intelligence agencies were conducting mass surveillance. The two surveillance programs that caused the European courts to upend the Safe Harbor agreement—Upstream and PRISM—granted surveillance authority under Section 702 of the Foreign Intelligence Surveillance Act (FISA) Amendments Act of 2008, which amended the FISA of 1978. Upstream surveillance involved mass copying data that traveled across internet infrastructure. The NSA could compel assistance from telecommunication service providers by installing equipment that allowed the agency to copy customer data en masse. In PRISM surveillance, the NSA used tools to collect electronic personal data from individuals using remote communication services like Google, Amazon Web Services and Meta. As with Upstream, the agency could compel companies to provide them with direct access to their servers and/or private user data including emails and direct messages.      

While the NSA often compelled companies to provide access to data via Upstream and PRISM, there were other means to access that data. Executive Order 12333 (EO 12333) permitted U.S. intelligence agencies to collect data on non-U.S. individuals without companies’ cooperation. However, some reports alerted to legal loopholes in EO 12333 that essentially allowed U.S. intelligence agencies to collect data on U.S. citizens as long as the data was collected outside of the United States.

In 2015, the Court of Justice of the European Union (CJEU) issued the Maximillian Schrems v. Data Protection Commissioner (Schrems I) ruling, which invalidated EC’s Safe Harbor Framework.  

The Schrems I Decision

Austrian national Max Schrems filed a complaint against Facebook Ireland with the Irish Data Protection Commission (DPC), alleging that his personal data had been sent to U.S. servers that lacked the “adequate level of protection” mandated in Directive 95/46/EC. Though Schrems did not challenge the directive’s overall validity, the CJEU established from his complaint that he was challenging the Safe Harbor provision.

Ultimately, the CJEU ruled that the EC’s Safe Harbor agreement for EU-U.S. data transfer was invalid and had altered the data privacy landscape drastically. The CJEU focused on two main issues that conflicted with EU law: (1) U.S. intelligence agencies’ surveillance methods went beyond what was appropriate under EU privacy law; and (2) EU citizens had no administrative or judicial means of redress. Further, the CJEU ruled that national data protection agencies like the Irish DPC “must be able to examine, with complete independence, any claim concerning the protection of a person’s rights and freedoms with the processing of personal data relating to him.”

Immediately following the Safe Harbor agreement’s demise, all transfers under that agreement became invalid. To avoid legal risks, American businesses either had to cease all data transfers or receive EU data subject consent—a logistical and financially challenging task. These challenges prompted the EC and the United States to negotiate the Privacy Shield Framework to address the CJEU’s concerns and allow data to flow between the United States and the EU.

But it was only a matter of time before this framework was dismantled as a result of Data Protection Commission v. Facebook Ireland, Max Schrems (Schrems II).

This is part of the series Transatlantic Data Flow Chronicles: Unveiling Past and Current Data Diplomacy.