A lot of American businesses, from Facebook to Google to thousands of other smaller firms, might be pushing the panic button this morning. The European Court of Justice this morning declared the Safe Harbour Framework that has streamlined the transfer of personal data from Europe to the US since 2000 is invalid.
The rules were supposed to ensure data stored in the US had the same privacy protections as they would when in the EU. But in 2014 they were challenged by Austrian privacy campaigner Max Schrems, who was concerned about the impact of US surveillance as revealed by Edward Snowden. In particular, he was concerned Facebook was supporting NSA spying by passing on its users’ data.
When Schrems brought the case to the Irish Data Protection Commissioner, where Facebook’s European headquarters are based, the authority said it would not pursue the case due to previous decisions declaring Safe Harbour legitimate. Schrems, founder of Europe v Facebook and now a hero of the privacy world, appealed that decision to the High Court in Dublin, which referred the case to the European Court of Justice.
The ECJ today declared the same protections for personal data are not offered in the US. It also said the Irish authority would have to examine Schrems’ complaint “with all due diligence” and decide whether the transfer of data of Facebook’s European users to the US should be suspended.
The ruling today declared “the national security, public interest and law enforcement requirements of the United States prevail over the Safe Harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements."
“The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference," the body added.
“The Court adds that legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.”
The decision came after advocate-general Yves Bot advised the ECJ the US had carried out "indiscriminate surveillance" incompatible with EU fundamental rights.
Stewart Room, partner at PricewaterhouseCoopers Legal, said the decision proved citizens had the power “to cause radical and fundamental change in the European data protection legal framework.”
Room warned that the 5,000 businesses believed to take advantage of Safe Harbour will now have to revisit their procedures for transferring personal data. There are other mechanisms available to legally transfer data, such as contractual agreements between parties promising strong safeguards and approved by the European Commission. But challenges to those are now “highly foreseeable”, according to Room. “Businesses will need to be aware of the risk of group litigation and compensation claims.
“The best way for businesses to insulate themselves from additional legal challenges is by carrying out thorough, independent assessments of the quality and robustness of their operational protections for personal data both inside and outside of Europe.”
Executive Director of the Open Rights Group, Jim Killock, said Safe Harbour was "not worth the paper it's written on" and a new agreement to protect EU citizens from mass surveillance by the NSA was required.
More sceptical parties believe the invalidation of Safe Harbour may cut Europe adrift, leading to an exodus of businesses who rely on the framework to operate effectively. The Computer & Communications Industry Association said "a suspension of Safe Harbor will negatively impact Europe’s economy, hurt small and medium-sized enterprises, and the consumers who use their services, the most". It urged the EU and US to devise a new and appropriate Safe Harbour agreement.
A Facebook spokesperson said the case was not about Facebook but just "one of the mechanisms that European law provides to enable essential transatlantic data flows". "Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbor," the spokesperson added.
"It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security."
Google, another one of many who may now have to re-organise how it stores and analyses personal data, had also been contacted but had not responded at the time of publication.
