European Court of Justice strikes down Safe Harbour

Huge implications for US tech businesses such as Google and Facebook

Safe Harbour, the agreement that allows personal data to be transferred from the EU to the US for processing, has been struck down by the European Court of Justice (ECJ).

The Court's ruling comes as a result of a case brought against Facebook in Ireland by Austrian law student Max Schrems. Schrems alleged that his rights had been infringed because Facebook is required to hand data to the NSA, as revealed by Edward Snowden. This contravenes Safe Harbour, he claimed, which states that signatories must secure data against third parties.

Two weeks ago the ECJ's Advocate General Yves Bot gave his opinion that Safe Harbour "is no longer adequate". Bot's opinion has now been carried by the Court, which has ruled that European Commission Decision 2000/520/EC, which declared the adequacy of the Safe Harbour privacy principles, is invalid. (Full Court judgment here - PDF).

The end of Safe Harbour will affect about 4,500 businesses according the the Wall Street Journal, including internet giants such as Google and Facebook. It is also likely to bring other transnational data transfer agreements such as Binding Corporate Rules (BCR) and model clauses into question ahead of the emergence of the EU General Data Protection Regulation (GDPR), according to Marc Dautlich, information law partner at Pinsent Masons.

"Today's ruling could have a significant impact on all EU-US data transfer mechanisms as it is likely that other legal tools, beyond Safe Harbour, that organisations rely on to transfer personal data from the EU to the US will come in for scrutiny too. That prospect creates uncertainty for businesses that, until now, will have believed the data transfer arrangements they have in place meet the standards required by EU law," Dautlich says.

He continues: "Currently, businesses can adopt model clauses which help them to meet the adequacy standards of EU data protection laws when transferring personal data outside of the EU. Companies can also implement BCRs for intra-group data transfers around the world. Both the model clauses and BCR frameworks could now come in for scrutiny for similar reasons to those highlighted in relation to the Safe Harbour regime."

Mark Thompson, privacy practice leader at KPMG, says the implications for global businesses are serious.

"There is a risk that if rules around data transfers aren't handled pragmatically this will result in a restriction on the flow of personal information across global organisations which could have a detrimental impact on their business models," he says.

Thompson continues: "This could potentially impact global trade as organisations would likely be required to re-structure business functions, outsourcing arrangements, business partnerships and relocate IT assets to ensure processing of personal information does not take place inside the USA.

"For global organisations this would be a substantial undertaking and the associated costs and practicalities involved could be very significant," Thompson says, adding that the changes will take time to be enacted.

"In the short term we expect to see the [US] Federal Trade Commission (FTC) to continue to be the enforcer of Safe Harbour. The FTC has taken additional action against various companies in the last 30 days requiring them to change their privacy practices to bring them into line with Safe Harbour requirements. In addition, the US Department of Commerce will continue to negotiate proposed revisions to Safe Harbour to address the EU's concerns over the broader transfer of personal information of EU citizens to the USA."

Schrems released a statement in which he welcomed the ECJ's judgment.

"I very much welcome the judgment of the Court, which will hopefully be a milestone when it comes to online privacy. This judgment draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible," says Schrems.

"The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it," he adds.

"This decision is a major blow for US global surveillance that heavily relies on private partners. The judgment makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights."

Schrems goes on to say that the implications for global businesses are unlikely to be as severe as they have presented them.

"There are still a number of alternative options to transfer data from the EU to the US. The judgment makes it clear that now national data protection authorities can review data transfers to the US in each individual case - while ‘Safe Harbour' allowed for a blanket allowance. Despite some alarmist comments I don't think that we will see mayor disruptions in practice," Shrems' statement concludes.

See also Safe Harbour must be suspended immediately, says chair of European Parliament Civil Liberties Committee

Privacy will also be a topic of discussion in our Enterprise Security & Risk Management Summit on 26 November. Registration is free for most delegates.