top of page

No Safe Harbor for Europeans' Facebook data in the USA

The EU tends to have much stricter rules governing the protection of personal data than the United States does. 5 days ago the European Union Court of Justice issued an opinion (in Schrems v. Data Protection Commissioner) overturning a finding that the United States provided an adequate level of protection for personal data. See: . The decision was partly the result of Edward Snowden's disclosures about the extent of domestic surveillance in the United States. The EU has a Data Protection Directive that requires a third country to which data is transferred to have adequate safeguards for the protectoin of that data. Maximillian Schrems contested the transfer of the data for his Facebook account from servers in Ireland to servers in the USA. Ireland's Data Protection Commission had rejected Mr. Schrems's claim on the basis of a 2000 ruling that the American data protection scheme provided the necessary level of protection. The EU Court of Justice held that national supervisory authorities could make their own evaluations of whether or not a country's data protection measures complied with the directive independly of a EU commission decision, but that only the Court of Justice could deterimine if the Commission's decision was invalid. The Court found that United States authorities are not bound by the safe harbor scheme and that issues of national security, public interest and law enforcement prevail over the scheme. It stated that, "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life." The Court's opinion means that preventing a person from having legal remedies to obtain his personal data and get such data erased violates his or her 'fundamental right to judicial protection'. The Court left it to the Irish authorities to decide whether or not Schrems' data could be transferred to the US.

The safe harbor scheme that all of the news articles about this momentous decision refer to was something that the U.S. Department of Commerce developed with the EU. See: . The scheme requires the following:

1. Notice - the party to whom the personal data belongs must receive notice that it is being collected.

2. Choice - the party should have the option to decline to participate in the program which collects his or her data.

3. Onward Transfer - the organizations that receive the data must have adequate data protection procedures.

4. Data Integrity - the data must be relevant to the purpose for which it is collected.

5. Security - steps must be taken to guarantee the data is not lost.

6. Access - an individual must be able to access his or her data and correct or erase it.

7. Enforcement - there must a means for enforcing these rules.

Use the mnemonic - DEACONS - they look after the personal secrets of the church.

American tech companies are continuing to transfer data from Europe on the basis of other agreements, but those may now be called into question as well. The Court's decision noted the inability of Europeans to bring actions in U.S. courts related to the compromising of personal data. A bill is being considered in Congress to make such actions possible.

bottom of page