Five uncomfortable facts about the CJEU Safe Harbour decision



By Simon Davies

This week the CJEU, Europe’s highest court, struck down a long-standing arrangement that allowed the flow of personal information between the EU and the US. The court ruled that, in essence, the “Safe Harbour” agreement isn’t worth the paper it is written on because the US simply cannot guarantee that it will adequately protect European data. Or, put another way, Europe’s inadequate data oversight regime is rendered even more inadequate because of the almost non-existent protections offered by the US.

The case was focused on a US national security grab of Facebook data, and the plaintiff – Max Schrems – reinforces that focus, However the decision has much wider implications, calling into question both the integrity of US assurances, and the very basis of US protections. This could create a tickle-down effect for all data transfers to the US.

On the face of it, the judgment might seem straightforward: US companies will have to find another way to do business legally with Europe. Not so. Here are a few home truths.


  1. The corpse is still twitching. True, the CJEU has struck down Safe Harbour, but it has not laid down alternative measures that would permit data trade between Europe and the US. In reality this means that the thousands of companies currently using Safe Harbour will “probably” need to start thinking about alternative arrangements. If they don’t take some sort of action, they could be exposed to complaints from within the EU. So – in the vein of ‘Yes Minister’ –  “activity” will be the order of the day. Smaller companies may cover themselves by subscribing to one of the frameworks that innovative law firms will inevitably create, but they’ll essentially just wait for advice from the European Commission. The Big Fifty will circulate lots of memos, create internal briefings and commission legal advice. Some may even revamp their privacy policies to create a stronger emphasis on consent. That activity should cover their back for the next three years, but nothing much will change. The CJEU decision has created a due diligence ‘No Man’s Land’.
  2. The US Administration still thinks it is in the right. There’s still a huge chunk of the US that believes data protection is a load of rubbish. European notions of privacy, they say, are out of date and restrictive. What some US officials want to see is the data equivalent of the second amendment. This view is by no means universal, but there are enough dinosaurs out there on the Beltway and elsewhere to ensure that large swathes of US business are motivated to an ambivalent view of data protection.
  3. The privacy antagonists don’t truly respect the authority of Europe’s highest court. Neither the European Commission (which has improperly defended Safe Harbour for fifteen years) nor the US government truly believe the Court got it right in this judgment. They argue that the Safe Harbour concept is still valid and that the key parties can negotiate a version 2.0. Let’s say… “Safer Harbour”. And of course “Safer Harbour” will contain stronger language – even going so far as to include such extremities as “unambiguous” and “proportionate”. But – without wishing to stretch metaphors – it’s impossible to have a safe harbour that’s full of regulatory depth charges. Sadly the present EU-US data trade environment is full of those.
  4. Re-negotiation won’t resolve the issue unless the US experiences a “Road to Damascus” moment. No matter how much good will there is around the table, any new version of Safe Harbour will be fundamentally flawed. One key point the US seems to overlook is that the CJEU didn’t merely condemn a framework agreement; it condemned the US approach to privacy. In its judgment the Court threw out Safe Harbour because public authorities weren’t bound to it, US interests trump those of Europe and there are few remedies for grievances. Those problems won’t be resolved through the mere addition of a few well-chosen words.
  5. In the end, the whole matter is now in the hands of a mischief of mice. The CJEU judgment means that the field is now fully open for EU residents to complain to their local Data Protection Authority about transfers to the US. But guess what… that field was always open. It’s just that DPA’s have for years played the game of Pass the Parcel and preferred to fall back on Safe Harbour rather than doing the right thing by standing up to a framework that they all knew was a joke. Now the onus is on the DPA’s to take action to protect EU rights. Best of luck with that one. There are perhaps only six DPA’s in the whole of Europe that have such a degree of commitment.