Safe Harbour dead in the water…whilst data protection takes to the skies

So there we have it. Data protection, once the preserve of tragic anoraks with too much time on their hands, has now firmly taken up its place as a glittering star within the European legal firmament. For who now, in the wake of the Schrems judgment, can doubt the global political and economic significance of the data protection regime, as embodied first and foremost in EU Directive 95/46/EC.

But let us begin by examining why the Schrems judgment in particular has launched data protection into the legal stratosphere. Well let’s start with the fact that it is not every day that a judgment issued by the Court of Justice of the European Union effectively finds that a world super-power has breached fundamental human rights by engaging in a campaign of mass surveillance within its own borders (see paras. 90-98). Then there’s the realisation that the Court has been prepared to deploy those findings so as to attack the validity of a European Commission decision which has shaped the approach which businesses within the EU and the US have taken to EU-US data sharing for the past fifteen years (see para. 104). Then it starts to sink in that the Court’s conclusion that that decision is invalid is inevitably going to destabilise data-sharing arrangements adopted by businesses across the EU, not to mention the US. So what starts as a hugely politically significant judgment turns into a judgment with vast commercial implications (and I am not just talking about the Facebooks of this world because it is clear that the judgment affects all business which transfer data into the US). What is all the more astonishing about the judgment is that it represents a remarkable willingness on the part of the Court to usurp an ongoing political process which is itself designed to achieve a consensus on lawful EU-US data sharing (see further the European Commission’s continuing efforts to negotiate with the US authorities on how to address deficiencies in the Safe Harbour regime).

But then again should any of this really come as any surprise? After all, this is not the first time that the Court has boldly used EU data protection legislation as a means of reshaping key socio-political paradigms. First, it was the internet which was subject to a substantial sea-change as a result of the Court’s recognition that a right to be forgotten could be asserted against search engines (as in Google Spain). Then we saw the Court using data protection legislation in effect so as to inhibit EU Member State surveillance programmes (as in Digital Rights Ireland). Now it is the wider corporate world which is feeling the full force of the behemoth that is EU data protection legislation as data-sharing arrangements across the EU-US piste potentially unravel in the face of the Court’s judgment (see further the ICO’s recent statement on the judgment and its implications for businesses here).

The important question which has yet to be answered is whether the Court’s seemingly relentless march to affirm the primacy of data privacy rights within and indeed beyond the borders of the EU may ultimately itself produce wholly disproportionate and indeed politically untenable results. However, one thing is for sure: the data protection super nova will continue to attract our gaze for some time to come.

Anya Proops