The US-EU Safe Harbour Decision has been ruled invalid by the Court of Justice of the European Union (ECJ) today, with widespread ramifications for organisations ranging from cloud computing providers to multi-national companies that move information on customers and staff across the Atlantic.
The agreement was reached in 2000, following the introduction of the European Union Directive on the Protection of Personal Data which became effective October 1998. The Directive prohibits the transfer of data outside the EU to third party nations that don't meet the EU test of “adequacy” with regard to privacy protections. The Safe Harbour Decision enabled US organisations to “self certify” that their data protection systems met the EU adequacy test so they could lawfully transfer personal data from the EU to the US for the purposes of storage and processing.
Today's decision striking down Safe Harbour came about after an Austrian law student, Maximillian Schrems, a Facebook user since 2008, lodged a complaint with the Irish Data Protection Commissioner that his personal data was being unlawfully processed by Facebook in the US. His claims were based on revelations by Edward Snowden regarding cooperation between the US National Security Administration (NSA) and companies such as Facebook to access the personal data of social media users.
Today, Edward Snowden tweeted his congratulations to Schrem and the ECJ.
In its widely anticipated ruling, the court agreed with the ECJ advocate general, Yves Bot, who published his opinion on 23 September. “The access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the Charter,” Bot said in his opinion. Bot said that the agreement should have been suspended immediately following Snowden's revelations about the NSA.
The Court found that the Safe Harbour agreement compromised EU citizens' right to respect for private life, compromised the fundamental right to effective judicial protection and denied national supervisory authorities their powers to investigate breaches of the principles behind data protection.
Stewart Room, a partner at PwC Legal, said the Schrems case has revealed a significant flaw in the data protection regulatory framework – that the European Commission can adopt decisions which are binding on the national data protection regulators but the regulators still had a duty to investigate serious complaints. “Even though those decisions are binding on the regulator, the regulator is still obliged to investigate challenges to them. That's the riddle at the heart of this case,” he said. “So that flaw in the regime is something that the citizen has been able to take advantage of to deliver this fateful blow.”
The ruling will now go back to the Irish High Court which will decide whether the Irish Data Protection Commissioner complied with the law or not.
Renata Avila, global campaign manager at the World Wide Web Foundation said: “Without effective safeguards for privacy, the Web as we know it could wither and die. Following today's ruling, new safeguards must now urgently be put in place that protect the Web as it should be, a secure and private space where people can start businesses, research confidential topics or just chat with friends without the fear of being subjected to unwarranted government snooping. We hope that this EU ruling will also inspire countries around the world to review their data protection and exchange policies, and enhance the protection of their citizens.”
Chair of the European Parliament Civil Liberties Committee, Claude Moraes said the European Parliament has repeatedly called for the abolition of Safe Harbour for failing to deliver adequate protection under EU data protection law. “The decision by the European Court of Justice today, declaring the invalidity of the Safe Harbour agreement, forces the European Commission to act in order to ensure that transatlantic transfers of personal data of EU citizens to companies in the US offer the continuity of protection required by EU law and come up with immediate alternative to Safe Harbour. The Commission has been in negotiations with the US for over a year on improving the framework but we have still received no update on these discussions,” he said.
The ruling was not welcomed by some companies in the cyber-security industry.
Daniel Castro, vice president of the Information Technology and Innovation Foundation said: “In the wake of the Snowden disclosures, European citizens and policymakers are understandably concerned about privacy safeguards in U.S. law. But abruptly revoking the Safe Harbor agreement was the wrong way to address those concerns. It will disrupt not just the thousands of U.S. and European companies that currently depend on the Safe Harbor to do business across the Atlantic, but also the broader digital economy. Aside from taking an ax to the undersea fiber optic cables connecting Europe to the United States, it is hard to imagine a more disruptive action to transatlantic digital commerce. Policymakers in the United States and EU should work together swiftly to implement an interim agreement so that we do not shut down transatlantic digital commerce overnight.”
Ilias Chantzos, senior director of government affairs EMEA, Symantec, said: “Symantec respects the decision of the EU Court of Justice. However, we encourage further discussion in order to create a strengthened agreement with the safeguards expected by the EU Court of Justice. We believe that the recent ruling will create considerable disruption and uncertainty for those companies that have relied solely on Safe Harbour as a means of transferring data to the United States.”
Michael Bisignano, general counsel at CA Technologies, said: “Secure data flows around the whole world have become the lifeblood of economies so we have very strong concerns about the implications of today's judgment for the application economy. The consequence of the decision will go beyond Safe Harbour, creating the risk of a fragmented approach in Europe towards international data transfers. This can create legal uncertainty that could become a roadblock for the continued development of the Application Economy in Europe. A fragmented approach to international data transfers is the last thing Europe's connected Application Economy needs.”
Jonathan Perez, global privacy officer, BMC Software said: “Safe Harbour is 15 years old and needed to be reassessed especially in view of the recent surveillance and data breaches which have brought suspicion on to it in the public eye. We believe that if we work with data, we must be accountable for data entrusted with us at a global level, and that it goes through getting adapted certification such as the Binding Corporate Rules (BCRs) which BMC has just received.”
Deema Freij, deputy general counsel and global privacy officer at Intralinks, said the ruling has major implications for companies of all stripes. “Any company with operations in Europe and transferring data to the United States under Safe Harbour will now need to carefully evaluate how it protects personal data, and re-evaluate governance, risk and compliance processes to meet international data transfer requirements to the United States without Safe Harbour being part of the mix. Indeed, in anticipation of this ruling and because of the criticism Safe Harbour has received in recent times, many foresighted companies had already begun using model contracts as a means of meeting international data transfer requirements,” she said.
Mark Thompson, privacy practice leader at KPMG, said: “There is a risk that if rules around data transfers aren't handled pragmatically this will result into a restriction on the flow of personal information across global organisations which could have a detrimental impact on their business models. This could potentially impact global trade as organisations would likely be required to re-structure business functions, outsourcing arrangements, business partnerships and re-locate IT assets to ensure processing of personal information does not take place inside the USA. For global organisations this would be a substantial undertaking and the associated costs and practicalities involved could be very significant.”