2 Minutes On: Safe Harbour ruled invalid

The data-sharing agreement known as Safe Harbour was ruled invalid on 6 October by the Court of Justice of the European Union, with widespread ramifications for organisations ranging from cloud computing providers to multinational companies that move information across the Atlantic.

EU
EU

The agreement, reached in 2000, prohibits the transfer of data outside the EU to third-party nations that don't meet the EU test of “adequacy” with regard to privacy protections. The Safe Harbour Decision enabled US organisations to ‘self certify' that their data protection systems met the EU adequacy test so they could lawfully transfer personal data from the EU to the US for the purposes of storage and processing.

The decision striking down Safe Harbour came about after an Austrian law student, Maximillian Schrems, lodged a complaint that his personal data was being unlawfully processed by Facebook in the US. His claims were based on revelations by Edward Snowden regarding cooperation between the US National Security Agency (NSA) and companies such as Facebook to access the personal data of social media users. 

In its widely anticipated ruling, the court agreed. “The access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data,” Yves Bot, the court's advocate general, said in his opinion. Bot added that the agreement should have been suspended immediately following Snowden's revelations about the NSA.

The Court found that the Safe Harbour agreement 

compromised EU citizens' right to respect for private life, compromised the fundamental right to effective judicial protection and denied national supervisory authorities their powers to investigate breaches of the principles behind data protection.

Stewart Room, a partner at PwC Legal, said the case has revealed a significant flaw in the data protection regulatory framework: that the European Commission can adopt 

decisions which are binding on the national data protection regulators but the regulators still had a duty to investigate serious complaints.

Others expressed concern over the implications of the EU court's decision. “With the adoption of the cloud and the loss of Safe Harbour, companies face harsh requirements on the location and protection of data stored by them,” said Fred Kost, senior vice president at HyTrust.

 

–By Danielle Correa, with additional reporting by Tom Reeve, SC Magazine UK

 

  Industry statistics

273

patches issued by just four vendors in one week in December - Apple, Google, Microsoft, Adobe 


65%

of IT pros who avoid cloud due to security and visibility concerns - Netwrix 2015 Cloud Security Survey

 

4,000+

multinational firms – including IBM, Google and Ericsson – used Safe Harbour   

 

64%

 

of consumers around the world who say they won't shop with a company that's had a data breach  -Gemalto

 

 

51%

 

of businesses will amend and adapt their data privacy policies for GDPR - Ovum report commissioned by Intralinks® Holdings, Inc