EU Court of Justice invalidates Safe Harbour and the game for thousands US businesses suddenly changes

A hearing at the European Court of Justice (European Court of Justice, 2010)

A hearing at the European Court of Justice (European Court of Justice, 2010)

In what some American media already call a “dramatic judgement”, the European Court of Justice last week changed the course of history for data protection and handling between the EU and the United States. After having declared the “Safe Harbour” data transfer agreement invalid earlier last week, on October 06, the EU’s highest court last Friday urged the EU and the United to shape a new trans-Atlantic data-transfer deal.

A paper monster

The ruling took immediate effect, and surely opened a big hole in the EU-US business legislation and data protection environments. The decision by the European Court of Justice junked a 15-years-old regulation and indeed left some 4,500 US companies, which have previously relied on Safe Harbour, linger in a potential bureaucratic nightmare. To understand why, it is necessary to take a step back and review some data privacy history.


Since 2000, thousands of US companies have relied on Safe Harbour to comply with the “EU Data Protection Directive 95/46/EC” (the “Directive”) on the protection of personal data, and – more practically – to transfer personal data from the EU to the US. Indeed the Safe Harbour has been for fifteen years the “bridge” for thousands of businesses to cope with the many differences between the American and the European regulations. While the United States has a patchwork of various state laws on the privacy topic, the EU has a broad overarching law covering all industry sectors , the “Directive”, which prohibits the transfer of personal data outside of the EU unless there is an “adequate level of protection of the data.”

In order to facilitate business, the two superpowers negotiated a “Safe Harbour” agreement that allowed US companies to process and transfer EU citizens’ personal data only after qualifying for certain rules and principles. The Safe Harbour Framework indeed required adherence to guidance materials and seven basic principles: notice, choice, onward transfer, security, data integrity, access and enforcement. Under Safe Harbor, companies were basically free to transfer personal data from the EU to U.S in compliance with the EU Data Protection Directive and European privacy laws.

The NSA Leaks and the Schrems case

Post the Snowden scandal, more than 2 years ago, things have changed though. Edward Snowden’s National Security Agency leaks indeed showed that European data stored by US companies was not safe from surveillance that would be illegal in Europe, and many regulators, organisations and people started to become dig the matter further.

Maximillian Schrems, an Austrian law student and Facebook user, then argued that the Irish Data Protection Commissioner failed to protect him from mass surveillance by the US NSA. Schrems argued that the actions of many large US firms like Facebook, that basically store all – or at least a vast majority of – their customers data in the USA and then transfer personal data to the NSA as part of the infamous PRISM program, did not provide adequate protection of EU citizens’ data being transferred to third countries.

So the European Court of Justice was asked to investigate and to eventually rule on whether the Safe Harbour Framework was able to sufficiently protect the EU citizen under the EU Data Protection Directive. The court found that the Safe Harbour was “inadequate” to serve its original purpose, and that it did not “satisfy the requirements of the directive”.

The Court’s ruling

“The Court declares the Safe Harbour Decision invalid”, the official document by the Curia stated. “This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence”, it also declared. The document also cited that “even if the Commission has adopted a decision”, the national supervisory authorities, when dealing with a claim, “must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive”. Those are heavy words which are destined to change the entire game.

What happens now?

The full impact of this decision is currently hard to see, but for sure the future of cross border data transfers between the EU and US becomes now a big question-mark. By scrapping the Safe Harbour, the European Court of Justice has practically and immediately returned the issue to the hands of regulators in each country: from this moment onwards each EU member nation will decide its own way when it comes to interact with the US on data privacy and handling.

The impact on business

From a business point of view, this could turn into a real nightmare for American firms, as we said. US companies (potentially not only tech firms) that do business in Europe could be requested to keep data locally in each country that they operate in. Moreover, the decision creates new legal risks for companies and surely puts at risk all the bloc’s plans to create a single digital market, because it will jeopardize the region and the possibilities of doing business here by non-EU companies. Indeed now it might happen that one country might block a company’s transfer to the US while the regulator in another gives the green light. Indeed pretty fare from the “unity” dream Commissioners are foreseeing.

“What we need now is to work closely with the Americans to find a solution to get a safe ‘Safe Harbour’, which is in the interest of both Europeans and Americans”, briefly stressed Andrus Ansip, European Commission Vice-President in charge of digital single market. Mr. Ansip also said he would be meeting with businesses next week to discuss practical concerns but urged the EU and the U.S. to continue work towards creating a new Safe Harbour agreement.

A Trans-Atlantic case

Last weeks’ decision once again unveils the many differences between two of the worlds’ pioneers in privacy and data protection laws, which as one can imagine we’ll have huge impacts in the negotiations of trans-Atlantic deals such as TTIP.

It is impossible to determine in detail now the scale of the shock the ruling by the ECJ will have on real economy, but it will for sure add pressure on the ongoing negotiations between the two blocks around data protection, and possibly on all the other matters which are found on the Transatlantic table of negotiations.



















Featured Stings

Water supply a human right but Greeks to lose their functioning utilities

How many more financial crises in the West can the world stand?

Azerbaijan chooses Greek corridor for its natural gas flow to EU

Why Eurozone’s problems may end in a few months

Volkswagen scandal update: “We want clarity fast, but it is equally important to have the complete picture”, Commission’s spokesperson underscores from Brussels

European Confederation of Junior Enterprises hosts in Geneva the Junior Enterprise World Conference

A day in the life of a refugee: the role of nations and citizens of the world

The 27 EU leaders did nothing to help May unlock the Brexit talks

German elections: Is Merkel losing ground or Shultz is winning?

Copyright: European Union , 2017; Source: EC - Audiovisual Service; Photo: Frank Molter

EU hits deadlock on the future of glyphosate a month before deadline

Jade Spring Meeting 2017 – day 2: Coporate workshops, general assembly and magna moment

COP21 Breaking News: Conference of Youth Focuses on Hard Skills to Drive Greater Climate Action

The three US financial war fleets

Can the EU afford a trade war with China?

Why do medical students need to emigrate to become doctors in 2017?

Trump badly cornered at home by agribusiness and steel consumer lobbies: Trade

Draghi’s top new year resolution: Quantitative Easing

Eurozone: Inflation plunge to 0.4% in July may trigger cataclysmic developments

A rapid deterioration of the humanitarian situation in the war-torn Yemen

From Grexit to Brexit: UK industry now says the in/out referendum is good for your health

On Human Rights Day European Youth Forum calls for end to discrimination of young people

The European Youth Forum needs better signal for its “call” for Quality Internships

Counting unemployment in the EU: The real rate comes to anything between 16.1% and 20.6%

Opening Remarks by H.E. Ambassador Yang Yanyi, Head of the Chinese Mission to the EU at the Chinese Fashion Night

The EU Commission does nothing about the food retailing oligopoly

Eurozone: How safe are our deposits? Which banks will survive?

Eurozone banks to separate risky activities: Can they stay afloat?

The EU Parliament endorses tax on financial transactions

The US + Britain trivialize mainland Europe, NATO and the EU

Lithuania vs Parliament over 2014 EU budget

The US may be “open” to reviving TTIP, while the EU designs the future of trade with China

Schengen is losing ground fast revealing Europe’s clear inability to deal with migration crisis

German stock market is not affected by the Greek debt revolution while Athens is running out of time

EU will not deliver on promises without democratic accountability

China revisited by the former Ambassador of Hungary to China

The West castigates Turkey’s Erdogan for the ruthless political cleansing

Eurozone has practically entered a deflation trap

A Sting Exclusive, the European Commissioner for Energy Günther Oettinger writes for the Sting on “EU Industry: a major energizer”

Greece: The new government of Alexis Tsipras shows its colors

Managers’ pay under fire

Why Eurozone can afford spending for growth

EU Commission says falling labour remuneration leads to deflation and damages growth prospects

Mario Draghi didn’t do it but Kim Jong-un did

E-Government can be a remedy for the crisis

Education expenditure in the EU not hurt much by crisis

The EU Parliament slams Commission on economic governance

EU is now giving Google new monopolies to the detriment of European citizens and Internet companies

EU Commission: Banking and energy conglomerates don’t threaten competition!

How will Brexit affect higher education in the EU?

Eurozone’s bank resolution mechanism takes a blow

UK’s PM Theresa May asks for a two-year Brexit transition plan as negotiations round kicks off

Twenty days that may remold the future of Europe

France and Poland to block David Cameron’s plans on immigration

A new proposal breaks the stalemate over the Banking Union

Can the EU last long if it cuts Cyprus out?

UN Environment Assembly 2017: where the world convenes to #BeatPollution

The UK to split if May’s hard or no-deal Brexit is pursued

Finally an answer to the hottest question of European youth today: How to make sure Juncker’s Investment Plan works for youth

IMF – World Bank meetings: US – Germany clash instituted, anti-globalization prospects visualized

China Unlimited: the dragon’s long and winding road

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s