eDiscovery Daily Blog

• October 8, 2015

International eDiscovery just became more difficult.  A 27-year-old Austrian law graduate may have brought an end to a 15 year old agreement enabling transatlantic data transfers between the U.S. and European Union because of – wait for it – privacy concerns.

According to Law 360 (subscription required), on Tuesday, the Court of Justice of the European Union (‘CJEU’) ruled that the safe harbor pact enabling transatlantic data transfers between the U.S. and European Union should be struck down, agreeing with its top legal adviser in finding that the deal fails to provide an adequate level of protection for EU citizens’ data.

In its opinion, issued two weeks after the Advocate General Yves Bot offered a nonbinding opinion recommending that the safe harbor agreement be struck down, the CJEU ruled that the popular U.S.-EU safe harbor data transfer scheme fails to adequately protect the privacy rights of EU citizens because it puts the needs of U.S. law enforcement officials ahead of these rights by allowing them unfettered access to the transferred data.  As a result, data transfers between EU member states and the US that were once authorized under the Safe Harbor provisions are now considered unlawful.

In its announcement, the CJEU stated “National security, public interest and law enforcement requirements of the United States prevail over the safe harbor scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements…The United States safe harbor scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.”

The CJEU also ruled the safe harbor to be inadequate because it offers EU citizens no judicial means of redress in the U.S. and denies EU data protection authorities the power to review complaints challenging the validity of the data transfers to third countries, which the court ruled that the regulators can do even though the commission had declared the safe harbor scheme to be adequate.

Bot’s opinion stemmed from a June 2013 complaint filed by Max Schrems, a 27-year-old Austrian law graduate, who alleged that Facebook’s Irish subsidiary transferred data to the U.S. and that the social media site cooperated with the National Security Agency’s PRISM program, the existence of which, thanks to former NSA contractor Edward Snowden, is now public knowledge.  Snowden congratulated Schrems on Tuesday with this tweet.  Schrems praised the ruling Tuesday, saying that he hoped it would a “milestone when it comes to online privacy.”

At a press conference Tuesday, the European Commission said it welcomed the decision as a confirmation of the need of having robust data protection safeguards in place before transferring citizens’ data as well as of its efforts to revamp the safe harbor agreement, which have been pending for more than two years.

So, what do you think?  Do you conduct eDiscovery internationally?  Will this ruling affect how you do so?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.