European Supreme Court: Because of NSA, U.S. Corporations Have No Self-Agency To Agree To Privacy Obligations

Posted on Oct 9, 2015 by Rick Falkvinge

This week, the European Court of Justice – the highest court in the European Union – declared that US companies may not transmit private sensitive personal data out of Europe to the United States for processing as they have up until now. It was a cancellation of the so-called Safe Harbor agreement, where U.S. companies self-declare that they meet certain European privacy standards. But the European Court of Justice’s (ECJ) reason for declaring Safe Harbor null and void goes far beyond the cancellation as such – it says that U.S. companies don’t have agency to make any such promises of any kind in the first place, contractual or unilateral, not now, not ever, as long as the NSA operates.

Most have focused on the what from this verdict, which is positively enormous in itself. But even more interesting is the why, which nobody seems to have mentioned, and which is downright thermonuclear. It becomes clear when you read the verdict summary in detail, preferably over good coffee, as I did:

The verdict from the ECJ, and a large cup of coffee.
The verdict summary is just three pages, but goes far beyond what has been reported so far.

The verdict concerns the Safe Harbor provision, which is a way for U.S. companies to self-declare that they fulfill European requirements for protecting data that concern individual people – such data is considered sensitive and worthy of legal protection under European law. However, the verdict names Edward Snowden (!) and what he revealed, and says that corporations may promise whatever they like, but that such promises have no effect, as U.S. authorities (read the National Security Agency) can and do supersede such promises constantly. The court is saying that U.S. corporations lack agency to contractually guarantee privacy, essentially equating U.S. corporations to minors in this regard, incapable of contract.

Quoting the verdict summary, the Court writes that any privacy-related contract, promise, or policy “…is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons…”

Highlighted part of verdict summary
This part is thermonuclear.

Do you see how this goes enormously farther than the question of in what data center Facebook and Google need to store their data, which has been the reported outcome so far of this verdict?

The full verdict, which has not been quoted at all in media reports, goes even further on this. It is detailed in points 73 and forward, with select quotes:

  1. Thus, [it is established in Decision 2000/520] that ‘national security, public interest, or law enforcement requirements’ have primacy over the safe harbour principles, primacy pursuant to which self-certified United States organisations receiving personal data from the European Union are bound to disregard those principles without limitation where they conflict with those requirements and therefore prove incompatible with them.
  2. In the light of the general nature of the derogation set out in the fourth paragraph of Annex I to Decision 2000/520, that decision thus enables interference, founded on national security and public interest requirements or on domestic legislation of the United States, with the fundamental rights of the persons whose personal data is or could be transferred from the European Union to the United States. To establish the existence of an interference with the fundamental right to respect for private life, it does not matter whether the information in question relating to private life is sensitive or whether the persons concerned have suffered any adverse consequences on account of that interference.
  3. In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter [of Fundamental Human Rights].

Now, this doesn’t mean that the court just invalidated all contracts between a European entity and a U.S. entity where the U.S. entity makes a commitment to privacy. But that’s because courts don’t work like that – they can only decide on the very specific matter in question before them, or they would have legislative power. In this verdict, they declared the Safe Harbor agreement null and void. But the court has made its reasoning clear, a reasoning which will apply to other cases brought before it.

So in practice, the European Supreme Court has declared that U.S. entities have no agency to promise anything at all with regards to privacy safeguards, as long as the NSA is in operation. Essentially, it has judged that U.S. corporations do not enjoy freedom of contract in the area of privacy, as far as European jurisdiction is concerned.

And that’s enormously more far-reaching than just the Safe Harbor being declared null and void.

Privacy indeed remains your own responsibility. This demonstrates why “trust” should not be a privacy factor in the first place – the preferred way is business with corporations that don’t require your data at all, so no trust is necessary.

VPN Service

Comments are closed.


  1. warcaster

    That’s why the EU’s new Data Protection Directive needs to encourage companies to:

    1) not store data

    2) if it’s stored, then only the user should be able to access it (end-to-end encryption).

    There are multiple ways to do this from simply banning the practice through law to giving automatic fines for any data breach and loss of user data or for anytime they comply with the US government’s requests for EU data in a way that’s not made “legal” by the new Safe Harbor.

    6 years ago