European Union Court rules that the EU-U.S. Safe Harbor agreement on the transfer of personal data is invalid
The Court of Justice of the European Union has ruled that the Safe Harbor agreement on which many businesses depend for the transatlantic transfer of personal data is invalid.
The question of privacy is the issue. The EU has some of the strictest rules on privacy, and companies operating inside the 28-member bloc are forbidden from sending personal information outside its borders without certain guarantees of protection.
The “Safe Harbor” principles is a system devised by the U.S. to help companies comply with the European Commission’s (E.C) Directive on Data Protection, which came into effect in 1998. The directive essentially prohibits the transfer of personal data outside the European Union (E.U.) to countries that don’t adhere to the E.U.’s “adequacy” standard for privacy protection.
The Safe Harbor rules, negotiated by the U.S. and the EU in 2000, allowed tech giants such as Amazon, Facebook, and Google to handle the personal information of millions of people in the EU and move them to the U.S., if they meet certain requirements.
While the decision will affect companies like Facebook and Google, it is bad news for small and medium-size companies transferring data from the EU to the U.S., said Mike Weston, CEO of data science consultancy Profusion.
“American companies are going to have to restructure how they manage, store and use data in Europe and this will take a lot of time and money,” he said.
However, the agreement has been successfully challenged the Safe Harbor treaty that controls the way that data is moved from Europe to the U.S. by an Austrian privacy campaigner called Max Schrems. The ECJ said that the agreement did not stop local regulators’ duty to make sure that their citizens’ data was being adequately protected. Schrems also argued that personal data of EU citizens was misused by the National Security Agency’s Prism program. Facebook along with several major tech companies are believed to have cooperated with the program.
On Tuesday, the European Court of Justice agreed. It said the agreement compromised “the essence of the fundamental right to respect for private life,” and “the essence of the fundamental right to effective judicial protection.”
The court is the EU’s highest court, and its ruling is binding.
Welcoming the ruling, Schrems in a statement, said, “which will hopefully be a milestone when it comes to online privacy. This judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible.”
The court ruling has also been welcomed by privacy and data campaigners including the Open Rights Group.
Executive director, Jim Killock said: “In the face of the Snowden revelations, it is clear that Safe Harbour is not worth the paper its written on. We need a new agreement that will protect EU citizens from mass surveillance by the NSA.”
Schrems’s legal battle over Safe Harbour was triggered by Edward Snowden’s 2013 revelation over the US National Security Agency (NSA)’s Prism surveillance system, which allowed spies to access foreigners’ personal information in the databases of companies such as Facebook.
At first, he brought a lawsuit in Ireland after failing to obtain an investigation into Facebook by the country’s Data Protection Commission, which has the authority to audit the social media giant.
Schrems claimed Ireland’s data watchdog had an onus to reveal what information Facebook held on users and finally what was being transferred to the U.S. under Safe Harbour and being accessed through Prism.
As Facebook user outside the U.S. and Canada has a contract with Facebook Ireland, the case was brought in Dublin, which was later transferred to the European court.
Facebook said that the case was “not about Facebook”. “The Advocate General himself said that Facebook has done nothing wrong,” a spokesperson said.
“What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows. Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbor.”
“It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security.”
The ruling may make it difficult for other big U.S. businesses claim some people. Mark Thompson, privacy lead at consultancy KPMG, cautioned that any new regulation of big data could have a “very significant” practical and financial impact on major technology firms operating in the EU.
“There is a risk that if rules around data transfers aren’t handled pragmatically this will result into a restriction on the flow of personal information across global organisations which could have a detrimental impact on their business models,” he said.
“This could potentially impact global trade as organisations would likely be required to re-structure business functions, outsourcing arrangements, business partnerships and re-locate IT assets to ensure processing of personal information does not take place inside the USA. For global organisations this would be a substantial undertaking and the associated costs and practicalities involved could be very significant.”
Today’s judgment said that public interest, national security, and law enforcement requirements of the United States prevail over the Safe Harbour scheme, so that U.S. undertakings are bound to ignore the protective rules laid down by that scheme where they conflict with such requirements.
“The United States Safe Harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the (Data Protection) Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.”
It added: “This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.”
The court said that the personal data transferred from EU member states to the U.S. were accessible by the U.S. authorities and process it in a way incompatible with the purposes for which it was transferred, apart from what was strictly required and proportionate to the protection of national security.
“Also, the Commission noted that the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.”
The court added that legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as “compromising the essence of the fundamental right to respect for private life”.
“Likewise, the court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.”
“Finally, the court finds that the Safe Harbour decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals.
“The Court holds that the Commission did not have competence to restrict the national supervisory authorities’ powers in that way.”
Liberal Democrat MEP Catherine Bearder, who has called for greater critical examination of large tech firms, said: “This is a historic victory against indiscriminate snooping by intelligence agencies, both at home and abroad.”
“In a globalised world, only a strong and binding international framework will ensure our citizens’ personal data is secure. Being part of the EU means we can fight for strong safeguards that protect UK citizens’ freedom and privacy.'”