A bimonthly magazine on international affairs, edited in Germany's capital

The End of Offshore Data?

“Safe Harbor” offers no true refuge for Europe’s Internet users, the European Commission admits

An impending June decision by the EU’s Court of Justice will likely tip the balance between free trade and fundamental rights. Arguments were heard last week in Luxembourg in a privacy rights case lodged by Max Schrems, an Austrian law student, against five international tech giants.


(c) REUTERS/Herwig Prammer

The EU’s Charter of Fundamental Rights is a quick and enlightening read. In 53 articles over 14 well-spaced pages, the document lists rights from the inviolability of human dignity to bans on torture and slavery, taking watertight positions on big issues that are non-negotiable for EU member states.

Imagine for a minute, then, the uproar if the European Commission admitted they were unable to guarantee the ban on torture. Imagine the scandal if the Brussels-based EU executive admitted it couldn’t protect EU citizens from slavery – and this before the European Court of Justice (ECJ), the EU’s highest court.

The European Commission admitted they were unable to guarantee a fundamental right this week: not preventing torture or slavery but guarding EU citizens’ privacy. Article 8 of the charter states that “everyone has the right to the protection of personal data concerning him or her” and that compliance with this “shall be subject to control by an independent authority.”
 But what happens if you think your data is not protected, your personal information is no longer private, and the European authorities are not doing anything about it?

This was why Austrian privacy campaigner Max Schrems lodged a complaint about Facebook to the Data Protection Commissioner (DPC) in Ireland, where the social network’s international operations are based. Schrems had heard US whistleblower Edward Snowden’s claim that the National Security Agency (NSA) had leaned on Facebook and other US tech companies to pass on, directly or indirectly, their user data to its PRISM program. Their digital dragnet, Schrems believed, contradicted his right to privacy.

The Irish DPC dismissed his complaint, saying it was not responsible for such data transfers. They are the business of the European Commission, the DPC said, and its Safe Harbor provisions. That is the name given to 15-year-old rules allowing US companies to collect user data inside the bloc and export it to the US once they meet “adequate” protection requirements.

Around 2000 such arrangements have been reached between the EU and companies in other countries, such as New Zealand, but it is primarily American firms taking advantage of this data express lane. For years privacy campaigners have complained that this harbor isn’t safe at all, and Snowden’s claims just confirmed their suspicions.

Washington has never confirmed or denied the NSA PRISM program, though since 9/11 it has stepped up collection of all data it believes necessary in its so-called “war on terror.” 
Unlike the EU, the US has no defined privacy laws and any external agreements are subservient to US domestic law. Thus Safe Harbor provisions have no legal standing in the US, with both government officials and private companies viewing them merely as best-practice aspirations.

So how can the Commission ensure that Safe Harbor provisions are being honored? The simple answer: it cannot.

The Schrems Facebook complaint dismissed by the Irish DPC was referred to the Irish High Court, which in turn referred questions on Safe Harbor to Luxembourg’s ECJ. It was here a week ago Tuesday that judges asked probing questions about the fundamental right of all EU citizens to privacy in the era of Facebook, the NSA, and PRISM.

“Let’s imagine I am on Facebook and I decide my rights have been breached,” said Advocate General Yves Bot. “If I don’t see the [European] Commission taking action, what recourse do I have open to me?”

After some hemming and hawing, European Commission counsel Bernhard Schima said, “You might consider closing your Facebook account and revoking your consent.”

Judge Bot replied drily, “I anticipated that problem by never opening a Facebook account.”

It was a telling moment, a declaration of bankruptcy in the European Commission’s ability to defend a fundamental right of EU citizens. 
For many EU countries who addressed the court, the problem with Safe Harbor is that it lacks legal teeth. 
“It could be said that Safe Harbor is not a safe harbor for the data of EU citizens, but a safe harbor for pirates,” said Gerhard Kunnert, counsel for Austria.

The European Commission is in a bind. On the one hand it is obliged to defend the fundamental rights of EU citizens. On the other hand, it fears Washington’s wrath.

The US is already wary of an overhaul of EU data rules under discussion in Brussels, fearing they will put the brake on tech giants like Google and Facebook. The European Commission knows this and so, where once it was critical of US attitudes toward Safe Harbor, Brussels is now more cautious. Officials admit there are problems with the provision but pleaded with the ECJ for time to remedy the situation. But given that talks began in 2013 with end date and outcome still unknown, ECJ judges appeared to take a dim view of this request.

Senior Commission officials fear most that the ECJ will strike down Safe Harbor and that Washington, fearing complications for their tech giants, will pull out of TTIP talks.

When the ECJ judges will deliver their verdict on June 24 it could be a defining moment for European privacy in the 21st century and the uneasy tug-of-war between free trade and fundamental rights.