GUEST BLOG: Snowden’s Disclosures Upend EU-US Privacy Safe Harbor Laws

09 October 2015 Internet, IT & e-Discovery Blog Blog

My Guest Blogger Eric Levy is a senior attorney in Gardere’s Trial Practice Group who specializes in complex litigation with a focus on technology and Internet eCommerce related issues.


The European Court of Justice (ECJ) ruled on October 6, 2015 in the case of Schrems vs. Data Protection Commissioner that the access enjoyed by the US intelligence services to the transferred personal data of EU residents constitutes an interference with the right to respect for private life and the right to protection of personal data, which is contrary to the principle of proportionality because said surveillance is mass and indiscriminate. It further adjudged that Safe Harbor is invalid and that Data Protection Commissions in individual member states should investigate companies to ensure that their information handling practices comply with that state’s data protection laws.

In 1995, the EU passed the European Data Protection Directive – a series of principles designed to protect individuals with regard to the processing and free movement of their personal data. Among other things, the Directive permits the transfer of personal data to a country outside of the EU only if that country ensures an adequate level of data protection. The US ensures that level of protection via Safe Harbor, a program run by the Department of Commerce. If a US company is certified as Safe Harbor compliant, it can store the personal information of EU residents on US servers.

Schrems, an Austrian citizen and a Facebook user since 2008, alleged that Facebook should not be allowed to transfer the personal information of it subscribers from its Irish servers to servers in the US. In the light of revelations made in 2013 by Edward Snowden concerning the activities of United States intelligence services like the NSA, Schrems contended that the law and practices of the United States, including Safe Harbor, offered no real protection against surveillance by the United States of personal data transferred to that country. On October 6, 2015 the ECJ agreed with him.

The implications for US companies wishing to transfer the personal data of EU residents to America are staggering. Instead of having to comply with the requirements of one data protection regime (Safe Harbor), said companies will potentially have to deal with twenty-seven different sets of rules and regulations governing such transfers. This may be less of an issue once the EU enacts new data protection regulations later this year, but these new regulations will likely be much stricter than current local member state laws, with no guarantee of a Safe Harbor equivalent embedded within them. Given the uncertainty that is likely to ensue over the next year or so, US companies might want to consider turning to alternative methods of guaranteeing the security of personal information, such as model contracts or Binding Corporate Rules (BCRs).

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.