EU Court of Justice invalidates Safe Harbour and the game for thousands US businesses suddenly changes

A hearing at the European Court of Justice (European Court of Justice, 2010)

A hearing at the European Court of Justice (European Court of Justice, 2010)

In what some American media already call a “dramatic judgement”, the European Court of Justice last week changed the course of history for data protection and handling between the EU and the United States. After having declared the “Safe Harbour” data transfer agreement invalid earlier last week, on October 06, the EU’s highest court last Friday urged the EU and the United to shape a new trans-Atlantic data-transfer deal.

A paper monster

The ruling took immediate effect, and surely opened a big hole in the EU-US business legislation and data protection environments. The decision by the European Court of Justice junked a 15-years-old regulation and indeed left some 4,500 US companies, which have previously relied on Safe Harbour, linger in a potential bureaucratic nightmare. To understand why, it is necessary to take a step back and review some data privacy history.

Background

Since 2000, thousands of US companies have relied on Safe Harbour to comply with the “EU Data Protection Directive 95/46/EC” (the “Directive”) on the protection of personal data, and – more practically – to transfer personal data from the EU to the US. Indeed the Safe Harbour has been for fifteen years the “bridge” for thousands of businesses to cope with the many differences between the American and the European regulations. While the United States has a patchwork of various state laws on the privacy topic, the EU has a broad overarching law covering all industry sectors , the “Directive”, which prohibits the transfer of personal data outside of the EU unless there is an “adequate level of protection of the data.”

In order to facilitate business, the two superpowers negotiated a “Safe Harbour” agreement that allowed US companies to process and transfer EU citizens’ personal data only after qualifying for certain rules and principles. The Safe Harbour Framework indeed required adherence to guidance materials and seven basic principles: notice, choice, onward transfer, security, data integrity, access and enforcement. Under Safe Harbor, companies were basically free to transfer personal data from the EU to U.S in compliance with the EU Data Protection Directive and European privacy laws.

The NSA Leaks and the Schrems case

Post the Snowden scandal, more than 2 years ago, things have changed though. Edward Snowden’s National Security Agency leaks indeed showed that European data stored by US companies was not safe from surveillance that would be illegal in Europe, and many regulators, organisations and people started to become dig the matter further.

Maximillian Schrems, an Austrian law student and Facebook user, then argued that the Irish Data Protection Commissioner failed to protect him from mass surveillance by the US NSA. Schrems argued that the actions of many large US firms like Facebook, that basically store all – or at least a vast majority of – their customers data in the USA and then transfer personal data to the NSA as part of the infamous PRISM program, did not provide adequate protection of EU citizens’ data being transferred to third countries.

So the European Court of Justice was asked to investigate and to eventually rule on whether the Safe Harbour Framework was able to sufficiently protect the EU citizen under the EU Data Protection Directive. The court found that the Safe Harbour was “inadequate” to serve its original purpose, and that it did not “satisfy the requirements of the directive”.

The Court’s ruling

“The Court declares the Safe Harbour Decision invalid”, the official document by the Curia stated. “This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence”, it also declared. The document also cited that “even if the Commission has adopted a decision”, the national supervisory authorities, when dealing with a claim, “must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive”. Those are heavy words which are destined to change the entire game.

What happens now?

The full impact of this decision is currently hard to see, but for sure the future of cross border data transfers between the EU and US becomes now a big question-mark. By scrapping the Safe Harbour, the European Court of Justice has practically and immediately returned the issue to the hands of regulators in each country: from this moment onwards each EU member nation will decide its own way when it comes to interact with the US on data privacy and handling.

The impact on business

From a business point of view, this could turn into a real nightmare for American firms, as we said. US companies (potentially not only tech firms) that do business in Europe could be requested to keep data locally in each country that they operate in. Moreover, the decision creates new legal risks for companies and surely puts at risk all the bloc’s plans to create a single digital market, because it will jeopardize the region and the possibilities of doing business here by non-EU companies. Indeed now it might happen that one country might block a company’s transfer to the US while the regulator in another gives the green light. Indeed pretty fare from the “unity” dream Commissioners are foreseeing.

“What we need now is to work closely with the Americans to find a solution to get a safe ‘Safe Harbour’, which is in the interest of both Europeans and Americans”, briefly stressed Andrus Ansip, European Commission Vice-President in charge of digital single market. Mr. Ansip also said he would be meeting with businesses next week to discuss practical concerns but urged the EU and the U.S. to continue work towards creating a new Safe Harbour agreement.

A Trans-Atlantic case

Last weeks’ decision once again unveils the many differences between two of the worlds’ pioneers in privacy and data protection laws, which as one can imagine we’ll have huge impacts in the negotiations of trans-Atlantic deals such as TTIP.

It is impossible to determine in detail now the scale of the shock the ruling by the ECJ will have on real economy, but it will for sure add pressure on the ongoing negotiations between the two blocks around data protection, and possibly on all the other matters which are found on the Transatlantic table of negotiations.

the sting Milestones

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

UN chief sends condolences to families of Malawi flood victims

Food safety: Enhancing consumer trust in EU risk assessment and authorisation

This company helps women to become solar entrepreneurs

Continuing incarceration of women’s rights activists in Saudi Arabia, ‘reprehensible’: UN experts

7 simple steps we can all take to reduce food waste

Globalization is changing. Here’s how your business can adapt

The rise and rise of media on your mobile phone – in one chart

The impact of COVID-19 on the life of the elderly

UN spotlights digitization of audiovisual archives to preserve human history on World Day

Central Africans ‘need our help now’: UN’s deputy relief chief

UN human rights report cites ‘multiple root causes’ of deadly Chile protests

3 important lessons from 20 years of working with social entrepreneurs

Employment: Commission proposes €1.6 million from Globalisation Adjustment Fund to help 400 workers made redundant in Carrefour Belgique

Support ‘winds of change’ in DR Congo to consolidate positive developments, urges UN mission chief

What we take for granted: The EU is not perfect

Healthcare workers’ safety: a forgotten necessity

As COP25 goes into the night, Guterres calls for more climate ambition

European Commission registers Χαλλούμι/Halloumi/Hellim as a Protected Designation of Origin (PDO)

G20: Less growth, more austerity for developing countries

Germany resists Macron’s plan for closer and more cohesive Eurozone; Paris and Berlin at odds

WEF Davos 2016 LIVE: “Chinese economy has great potential, resilience and ample space for policy adjustment”, China’s Vice President Li Yuanchao reassures from Davos

Millions denied citizenship due to ideas of national, ethnic or racial ‘purity’: UN rights expert

Paris, Washington, IMF against Berlin and ECB on money and interest

Myanmar: New UN envoy offers to serve ‘as a bridge’, recognizes ‘positive steps’ over Rakhine state

Guinea-Bissau spotlights threats of organized crime, Sahel terrorism in speech to UN Assembly

COVID-19: What you need to know about the coronavirus pandemic on 4 January

Palm Oil: With Malaysia cracking down on production, what’s the alternative?

A Monday to watch the final act of a Greek tragedy; will there be catharsis or more fear?

Data exchanges: Strengthening Europol cooperation with non-EU countries

Migration and rule of law on next ACP-EU Parliamentary Assembly agenda

Violence on the rise in Darfur following Sudan military takeover, but UN-AU peacekeeping mission maintains ‘robust posture’

This is why retail is such a sore point in India-US trade relations

President David Sassoli to visit Skopje: “Remain on the European track”

Former Chilean President Bachelet put forward by UN chief as next High Commissioner for Human Rights

How to keep essential value chains moving during the COVID-19 crisis

Mergers: Commission opens in-depth investigation into proposed acquisition of Metallo by Aurubis

A small group of world leaders are standing together against inequality

EU budget 2019 approved: focus on the young, innovation and migration

Forget 2009, this is the real credit crisis of our time

Energy Union: deals on efficiency targets and governance

UPDATED: Thousands flee fighting around Libyan capital as Guterres condemns escalation, urges ‘immediate halt’ to all military operations

New seat projections for the next European Parliament

The new era of Matriarchy?

4 ways to keep the momentum rolling on mental health

Services are the hidden side of the US-China trade war

Spring 2019 Economic Forecast: Growth continues at a more moderate pace

Visa-free access to the EU for UK nationals and to the UK for EU nationals

Top officials say UN will support Bahamas’ rescue, relief efforts as Hurricane Dorian churns in Atlantic

Budget Committee backs €2.3 million worth of aid to help 550 redundant media workers in Greece

Human rights on film: International festival celebrates mobile phone films for a cause

EU fight against tax-evasion and money laundering blocked by Britain

World Population Day: ‘A matter of human rights’ says UN

Ahead of UN summit, leading scientists warn climate change ‘hitting harder and sooner’ than forecast

The invisible L word: the struggles to achieve SRHR, as HIV/AIDS prevention and treatment for lesbian population

To solve the climate crisis, we need an investment revolution

‘Great Pacific Garbage Patch’ clean-up project launches trial run: UN Environment

Parliament votes reform for better European Co2 market but critics want it sooner than later

How COVID-19 accelerated the shift towards TradeTech

Why the UK government must do more to boost green revolution

On Brexit: the outcome of UK elections next May to be based on false promises?

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s