Safe Harbor is Not “Exactly” Dead

Michael Meltzer

General Counsel and Chief Privacy Officer

Many of us saw reports this week that the highest court of the European Union has just issued a decision declaring the “Safe Harbor” agreement invalid.  This is not exactly accurate.  But it’s close!

So let me tell you what has actually happened.

First of all, the case that everyone is now talking about in the Privacy world is technically titled Schrems v. Data Protection Commissioner, but you may hear it referred to as the “Facebook case”.  Without going into all of the particulars right now, the case involved the complaint of an Irish citizen (Schrems) that personal data collected by Facebook was subject to indiscriminate search by the US NSA and that there was no means for him to seek redress for the violation of his privacy.  The Irish court essentially dismissed his case, ruling that Facebook is a signatory to the Safe Harbor agreement and that the Irish Data Privacy Commissioner had already ruled that the Safe Harbor provided an adequate level of protection.

Schrem appealed and… skipping the process points of interest to lawyers only … the case ended up in the Court of Justice of the European Union (the highest judicial authority for such matters).  That court ruled that the Irish Commissioner’s prior finding of sufficiency was not in fact binding on the Irish court and that there were grounds for the court to consider whether Safe Harbor sufficiently protected the privacy rights of Irish citizen in general and Mr. Schrems in particular.  They then went on to say that the NSA’s indiscriminate taking of data and the lack of judicial redress was in fact inconsistent with the standards of the current EU Data Protection Directive (and that is an ominous opinion).

So, what does this mean?  Well, if this were the whole story, I’d say that the Irish court would be hard pressed not to follow the reasoning of the Court of Justice.  Happily it’s not the whole story, because:

  1. while the court could only review the facts as they existed when Schrem brought his case, the EU and the US have since worked out a new agreement (let’s call it Safe Harbor +1) that seeks to address the very issues raised by the court (indiscriminate NSA data collection and lack of judicial remedy afforded EU citizens).  Of course, we don’t yet know if the Irish court, when it looks again, will find this new agreement adequate, but there is a realistic shot that they will; and
  2. in the meantime, while the Irish court is busy looking again, their work is likely going to be rendered moot by a new EU data protection law that is in the final stage of development and is expected to be enacted by the end of this year or soon after.  So the case may yet die of natural causes!

Is this a lot of noise about not much?  No.  Safe Harbor is on life support and the tubes are being pulled out of it one by one.  But, happily, new legislation that will effectively re-establish the safe harbor approach is close at hand.  But, if it doesn’t come to pass soon, we’ll be faced with another court decision that is likely to finish the job!  So we need to be aware of the situation.

Here is the bottom line (finally!):  Safe Harbor is not dead.  The Facebook decision clearly points to issues that in fact are being addressed and the local court will have the ability to take note of that.  New legislation is close to finished that will re-boot, so to say, safe harbor, albeit with some changes that Sirota is well equipped to deal with.  And, lastly, we should also remember that Safe Harbor is not the only method that can be used to lawfully transfer data from the EU to the US.  In fact, many of our clients already use something called the “standard contract clauses” and- again- Sirota is completely capable of using that mechanism as well.

We welcome your comments.  Please enter them in the space below or feel free to contact Michael Meltzer, Chief Privacy Officer directly at

Leave A Comment