EU Court of Justice invalidates Safe Harbour and the game for thousands US businesses suddenly changes

A hearing at the European Court of Justice (European Court of Justice, 2010)

A hearing at the European Court of Justice (European Court of Justice, 2010)

In what some American media already call a “dramatic judgement”, the European Court of Justice last week changed the course of history for data protection and handling between the EU and the United States. After having declared the “Safe Harbour” data transfer agreement invalid earlier last week, on October 06, the EU’s highest court last Friday urged the EU and the United to shape a new trans-Atlantic data-transfer deal.

A paper monster

The ruling took immediate effect, and surely opened a big hole in the EU-US business legislation and data protection environments. The decision by the European Court of Justice junked a 15-years-old regulation and indeed left some 4,500 US companies, which have previously relied on Safe Harbour, linger in a potential bureaucratic nightmare. To understand why, it is necessary to take a step back and review some data privacy history.

Background

Since 2000, thousands of US companies have relied on Safe Harbour to comply with the “EU Data Protection Directive 95/46/EC” (the “Directive”) on the protection of personal data, and – more practically – to transfer personal data from the EU to the US. Indeed the Safe Harbour has been for fifteen years the “bridge” for thousands of businesses to cope with the many differences between the American and the European regulations. While the United States has a patchwork of various state laws on the privacy topic, the EU has a broad overarching law covering all industry sectors , the “Directive”, which prohibits the transfer of personal data outside of the EU unless there is an “adequate level of protection of the data.”

In order to facilitate business, the two superpowers negotiated a “Safe Harbour” agreement that allowed US companies to process and transfer EU citizens’ personal data only after qualifying for certain rules and principles. The Safe Harbour Framework indeed required adherence to guidance materials and seven basic principles: notice, choice, onward transfer, security, data integrity, access and enforcement. Under Safe Harbor, companies were basically free to transfer personal data from the EU to U.S in compliance with the EU Data Protection Directive and European privacy laws.

The NSA Leaks and the Schrems case

Post the Snowden scandal, more than 2 years ago, things have changed though. Edward Snowden’s National Security Agency leaks indeed showed that European data stored by US companies was not safe from surveillance that would be illegal in Europe, and many regulators, organisations and people started to become dig the matter further.

Maximillian Schrems, an Austrian law student and Facebook user, then argued that the Irish Data Protection Commissioner failed to protect him from mass surveillance by the US NSA. Schrems argued that the actions of many large US firms like Facebook, that basically store all – or at least a vast majority of – their customers data in the USA and then transfer personal data to the NSA as part of the infamous PRISM program, did not provide adequate protection of EU citizens’ data being transferred to third countries.

So the European Court of Justice was asked to investigate and to eventually rule on whether the Safe Harbour Framework was able to sufficiently protect the EU citizen under the EU Data Protection Directive. The court found that the Safe Harbour was “inadequate” to serve its original purpose, and that it did not “satisfy the requirements of the directive”.

The Court’s ruling

“The Court declares the Safe Harbour Decision invalid”, the official document by the Curia stated. “This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence”, it also declared. The document also cited that “even if the Commission has adopted a decision”, the national supervisory authorities, when dealing with a claim, “must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive”. Those are heavy words which are destined to change the entire game.

What happens now?

The full impact of this decision is currently hard to see, but for sure the future of cross border data transfers between the EU and US becomes now a big question-mark. By scrapping the Safe Harbour, the European Court of Justice has practically and immediately returned the issue to the hands of regulators in each country: from this moment onwards each EU member nation will decide its own way when it comes to interact with the US on data privacy and handling.

The impact on business

From a business point of view, this could turn into a real nightmare for American firms, as we said. US companies (potentially not only tech firms) that do business in Europe could be requested to keep data locally in each country that they operate in. Moreover, the decision creates new legal risks for companies and surely puts at risk all the bloc’s plans to create a single digital market, because it will jeopardize the region and the possibilities of doing business here by non-EU companies. Indeed now it might happen that one country might block a company’s transfer to the US while the regulator in another gives the green light. Indeed pretty fare from the “unity” dream Commissioners are foreseeing.

“What we need now is to work closely with the Americans to find a solution to get a safe ‘Safe Harbour’, which is in the interest of both Europeans and Americans”, briefly stressed Andrus Ansip, European Commission Vice-President in charge of digital single market. Mr. Ansip also said he would be meeting with businesses next week to discuss practical concerns but urged the EU and the U.S. to continue work towards creating a new Safe Harbour agreement.

A Trans-Atlantic case

Last weeks’ decision once again unveils the many differences between two of the worlds’ pioneers in privacy and data protection laws, which as one can imagine we’ll have huge impacts in the negotiations of trans-Atlantic deals such as TTIP.

It is impossible to determine in detail now the scale of the shock the ruling by the ECJ will have on real economy, but it will for sure add pressure on the ongoing negotiations between the two blocks around data protection, and possibly on all the other matters which are found on the Transatlantic table of negotiations.

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Featured Stings

Who will win the AI race? If countries work together, then the answer could be all of us

Europe on the Move: Commission completes its agenda for safe, clean and connected mobility

90% of fish stocks are used up – fisheries subsidies must stop

Everyone has ‘a moral imperative’ to uphold the rights of persons with disabilities, says UN chief

EU leads the torn away South Sudan to a new bloody civil war

‘Habitual residence’ rules deprive EU workers from social benefits

EU Parliament and Council: Close to agreement on the bank resolution mechanism

Brexit negotiations: back to square one, tougher words, no good faith

EU unfolds strategy on the Egypt question

“If the job market doesn’t exist, then even the most brilliant Youth Guarantee cannot ensure a job to these young people”, European Youth Forum Secretary General Giuseppe Porcaro on another Sting Exclusive

The importance of pre-departure training for a better understanding of global health issues

Beware the fragility of the global economy

New skills agenda for Europe needs real investment

More solidarity and interaction between generations needed to challenge age stereotypes and ingrained ageism

“We have to do a better job of creating alternatives to violent extremism”, US Secretary of State John Kerry from Switzerland; the Sting reports live from World Economic Forum 2015 in Davos

Mood changes in Europe in favour of growth and jobs

8000 young people in the EP in Strasbourg: “a breath of fresh air for EU democracy”

EU Commission draws the wrong conclusions

The UK to split if May’s hard or no-deal Brexit is pursued

Alarming level of reprisals against activists, human rights defenders, and victims – new UN report

Can Kiev make face to mounting economic problems and social unrest?

A Sting Exclusive: “Climate change and youth inaction: oblivion or nonchalance?”, AIESEC wonders from Brussels

Act now to end violence, Zeid urges Nicaraguan authorities

Why EU’s working and unemployed millions remain uncertain or even desperate about their future

The financial sector cripples Eurozone growth prospects

Why are the financial markets shivering again?

Switzerland to introduce strict restrictions on executive pay

Bankruptcy or referendum: which one is going to be first?

Nuclear non-proliferation treaty an ‘essential pillar’ of international peace, says UN chief

These coastal countries are sinking the fastest

“Is Europe innovative? Oh, Yes we are very innovative!”, Director General of the European Commission Mr Robert-Jan Smits on another Sting Exclusive

Migration Crisis: how to open the borders and make way for the uprooted

On the detention of children in the United States of America

Is Eurozone heading for disinflation?

Copyright: European Union , 2017; Source: EC - Audiovisual Service; Photo: Frank Molter

EU hits deadlock on the future of glyphosate a month before deadline

Eurozone: Sovereign debt decreases for the first time since 2007

COP21 Breaking News_03 December: Argentina Accepts KP Amendment

A reflection of health inequity in recent epidemics

Intel @ European Business Summit 2014: Better decisions now, the new business dashboard 

MEPs to vote on overhaul of road transport rules in July

Crimea, a wicked game of political chess and a ‘big’ coincidence

So, what is your favourite Sustainable Development Goal?

Q&A on the 19th China-EU Summit to be held on 01-02 June 2017 in Brussels

Hollande decisively rebuffs Merkel’s and Rehn’s austerity policies

EU and Japan agree on free-trade deal and fill the post-TPP void

Why medicine is relevant to the battle against climate change

Climate change update: will the UN member states regain momentum despite the little progress at COP23?

Global health challenges require global medical students

WEF Davos 2016 LIVE: “If we do not do properly the Paris agreement, then all 16 remaining goals will be undermined”, UN Secretary General Ban Ki-moon cautions from Davos

Youth employment crisis easing but far from over

“A divided Europe is not in China’s interests”, Ambassador Zhang of the Chinese Mission to EU welcomes Brussels

The Changing Scope of International Economic Relations – Chinese Leadership in the 21st Century

ZTE @ MWC14: ZTE excels in all areas at this year’s Mobile World Congress

The gender gap of medicine in 2018

The IMF overstates the risks for Eurozone and downgrades the threats for the US economy

Conflicting statistics and bad banks haunt the Eurozone

Utmost hypocrisy emitted by EU’s energy regulation

How secure is blockchain?

Juncker Investment Plan for Europe welcomed by European Youth Forum

Eurasian Union begins: the giant modelled on the EU is Moscow’s biggest challenge

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s