The European Court of Justice (ECJ) has ruled that the Safe Harbour framework used by the US and EU is invalid in a decision that could have major implications for many of the world’s biggest technology firms and others processing personal data.
V3 has put together a breakdown of the background to the decision and what it could mean for the future.
What is/was Safe Harbour?
The Safe Harbour Privacy Principles were introduced in 2000 by the European Commission (EC) to provide an easy ways for US companies to receive approval to transfer data on EU citizens to the US.
The framework set out seven points firms must adhere to for Safe Harbour approval relating to areas such as informing users of data collection, ensuring its security and offering the ability to opt out of data collection when using a service.
It has been used by up to 4,000 firms, including major technology companies such as Facebook, Twitter, Microsoft and Google, to send data on customers from the EU to US data centres for processing.
The ECJ ruled that this framework is not adequate as Edward Snowden’s PRISM revelations of 2013 showed that firms operating under Safe Harbour could not ensure that data was protected because organisations like the NSA were able to access and use it for their own purposes.
EU citizens also had no recourse to legal justice under the agreement, thereby infringing their rights.
Finally, the ECJ said that the rules undermined the authority of each nation’s data protection authority to rule on whether a firm is adhering to data protection laws.
The ECJ decision is the result of a long-running legal case that started in 2014 when an Austrian named Max Schrems asked the Irish data protection authority to assess what data Facebook was sending to the US.
Schrems took that case to the Irish authority as Facebook is headquartered in the country. However, the watchdog refused to investigate, saying that Facebook was covered by the Safe Harbour agreement.
In response Schrems took the Irish regulator to the Irish High Court arguing that it should investigate. The court turned to the ECJ for guidance on the issue.
The EC attorney general ruled last month that the PRISM revelations did indeed make the Safe Harbour agreement invalid, a decision that the ECJ has now adopted.
"This judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights," said Schrems. "The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it."
What happens next?
This is the big question. Essentially all data transfers between the EU and the US are now not covered by Safe Harbour, meaning that firms will have to process data in the EU or achieve certification for more stringent, time-consuming and costly data processing models, such as model clauses or binding corporate rules.
However, discussions for new rules governing data transfers have been underway for some time between the EU and US, which could introduce similar rules but with more data protection guarantees and more rights for EU citizens.
The ECJ ruling will put more pressure on those involved in the negotiations to hammer out a deal as quickly as possible, a pressure vocalised by Peter Olsen, president of the Digital Europe lobby group.
“We urgently call on the EC and the US to conclude their long-running negotiations to provide a new Safe Harbour agreement as soon as possible,” he said.
“We also call on the EC to immediately issue guidance to companies operating under the Safe Harbour framework to ensure that essential and routine commercial activities can occur during the current legal vacuum."
EC first vice president Frans Timmermans said that the organisation is making good headway on these discussions and will continue to strive for a resolution.
"In light of the ruling, we will continue this work towards a renewed and safe framework for the transfer of personal data across the Atlantic," he said, adding that the EC will issue guidance on how data transfers can continue.
"We will come forward with clear guidance for national data protection authorities on how to deal with data transfer requests to the US in the light of the ruling."
However, Christopher Jeffery, head of UK IT, telecoms and competition at law firm Taylor Wessing, told V3 that he is sceptical that the EU can convince the US to include promises not to use data for security purposes to a satisfactory level.
“If you look at what the court said in its judgement, one objection was that there is indiscriminate processing and monitoring of personal data by US authorities, and that is incompatible with EU freedoms,” he said.
“In the EU data is only monitored where strictly necessary and proportionately. There is no way the US will agree to the same laws, so it’s hard to see how they will bridge that gap.”
Whatever happens in the next few months is likely to cause considerable business disruption for those operating under Safe Harbour rules, as noted by Mark Thompson, privacy practice leader at KPMG.
“There is a risk that if rules around data transfers aren’t handled pragmatically this will result in a restriction on the flow of personal information across global organisations which could have a detrimental impact on their business models,” he said.
“This could affect global trade as organisations are likely to be required to restructure business functions, outsourcing arrangements and business partnerships, and relocate IT assets to ensure that processing of personal information does not take place in the US."
Jeffery from Taylor Wessing told V3 that there is likely to be a few weeks' leeway before any decisions are finalised, but that businesses should start considering how else they will cover data transfer, using binding corporate rules or model clauses.
The Safe Harbour decision is likely to be just the first in a series of high-profile data protection and privacy developments in the next few months that will have an impact on the market.
The US government is currently involved in a major cloud case with Microsoft over whether it has the right to access data on Microsoft users stored on servers overseas, which would pose major privacy concerns for EU citizens.
Meanwhile, the EU is on the verge of introducing a new data protection law that will radically overhaul the regime, notably by requiring firms gathering data on EU citizens to adhere to EU laws, regardless of where they operate.
Both these developments will add yet more complexity and confusion to data protection and privacy, leaving businesses scrabbling for answers.
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal
Microsoft, Google and Samsung all targeted as Avast admits to the scale of the CCleaner compromise
Not all loose ends tied yet, admits Bain backer SK Hynix