EU Court of Justice invalidates Safe Harbour and the game for thousands US businesses suddenly changes

A hearing at the European Court of Justice (European Court of Justice, 2010)

A hearing at the European Court of Justice (European Court of Justice, 2010)

In what some American media already call a “dramatic judgement”, the European Court of Justice last week changed the course of history for data protection and handling between the EU and the United States. After having declared the “Safe Harbour” data transfer agreement invalid earlier last week, on October 06, the EU’s highest court last Friday urged the EU and the United to shape a new trans-Atlantic data-transfer deal.

A paper monster

The ruling took immediate effect, and surely opened a big hole in the EU-US business legislation and data protection environments. The decision by the European Court of Justice junked a 15-years-old regulation and indeed left some 4,500 US companies, which have previously relied on Safe Harbour, linger in a potential bureaucratic nightmare. To understand why, it is necessary to take a step back and review some data privacy history.

Background

Since 2000, thousands of US companies have relied on Safe Harbour to comply with the “EU Data Protection Directive 95/46/EC” (the “Directive”) on the protection of personal data, and – more practically – to transfer personal data from the EU to the US. Indeed the Safe Harbour has been for fifteen years the “bridge” for thousands of businesses to cope with the many differences between the American and the European regulations. While the United States has a patchwork of various state laws on the privacy topic, the EU has a broad overarching law covering all industry sectors , the “Directive”, which prohibits the transfer of personal data outside of the EU unless there is an “adequate level of protection of the data.”

In order to facilitate business, the two superpowers negotiated a “Safe Harbour” agreement that allowed US companies to process and transfer EU citizens’ personal data only after qualifying for certain rules and principles. The Safe Harbour Framework indeed required adherence to guidance materials and seven basic principles: notice, choice, onward transfer, security, data integrity, access and enforcement. Under Safe Harbor, companies were basically free to transfer personal data from the EU to U.S in compliance with the EU Data Protection Directive and European privacy laws.

The NSA Leaks and the Schrems case

Post the Snowden scandal, more than 2 years ago, things have changed though. Edward Snowden’s National Security Agency leaks indeed showed that European data stored by US companies was not safe from surveillance that would be illegal in Europe, and many regulators, organisations and people started to become dig the matter further.

Maximillian Schrems, an Austrian law student and Facebook user, then argued that the Irish Data Protection Commissioner failed to protect him from mass surveillance by the US NSA. Schrems argued that the actions of many large US firms like Facebook, that basically store all – or at least a vast majority of – their customers data in the USA and then transfer personal data to the NSA as part of the infamous PRISM program, did not provide adequate protection of EU citizens’ data being transferred to third countries.

So the European Court of Justice was asked to investigate and to eventually rule on whether the Safe Harbour Framework was able to sufficiently protect the EU citizen under the EU Data Protection Directive. The court found that the Safe Harbour was “inadequate” to serve its original purpose, and that it did not “satisfy the requirements of the directive”.

The Court’s ruling

“The Court declares the Safe Harbour Decision invalid”, the official document by the Curia stated. “This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence”, it also declared. The document also cited that “even if the Commission has adopted a decision”, the national supervisory authorities, when dealing with a claim, “must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive”. Those are heavy words which are destined to change the entire game.

What happens now?

The full impact of this decision is currently hard to see, but for sure the future of cross border data transfers between the EU and US becomes now a big question-mark. By scrapping the Safe Harbour, the European Court of Justice has practically and immediately returned the issue to the hands of regulators in each country: from this moment onwards each EU member nation will decide its own way when it comes to interact with the US on data privacy and handling.

The impact on business

From a business point of view, this could turn into a real nightmare for American firms, as we said. US companies (potentially not only tech firms) that do business in Europe could be requested to keep data locally in each country that they operate in. Moreover, the decision creates new legal risks for companies and surely puts at risk all the bloc’s plans to create a single digital market, because it will jeopardize the region and the possibilities of doing business here by non-EU companies. Indeed now it might happen that one country might block a company’s transfer to the US while the regulator in another gives the green light. Indeed pretty fare from the “unity” dream Commissioners are foreseeing.

“What we need now is to work closely with the Americans to find a solution to get a safe ‘Safe Harbour’, which is in the interest of both Europeans and Americans”, briefly stressed Andrus Ansip, European Commission Vice-President in charge of digital single market. Mr. Ansip also said he would be meeting with businesses next week to discuss practical concerns but urged the EU and the U.S. to continue work towards creating a new Safe Harbour agreement.

A Trans-Atlantic case

Last weeks’ decision once again unveils the many differences between two of the worlds’ pioneers in privacy and data protection laws, which as one can imagine we’ll have huge impacts in the negotiations of trans-Atlantic deals such as TTIP.

It is impossible to determine in detail now the scale of the shock the ruling by the ECJ will have on real economy, but it will for sure add pressure on the ongoing negotiations between the two blocks around data protection, and possibly on all the other matters which are found on the Transatlantic table of negotiations.

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Featured Stings

A Young entrepreneur cries out: “start in Europe, stay in Europe”

For the future of Europe youth remains a priority

ECB ready to counter the rise of the euro?

Galileo funding: A ‘small’ difference of €700 million

Commission challenges Council over EU 2014 budget

The refugee crisis brings to light EU’s most horrible flaws and nightmares

UN-based World Summit Award (WSA) presents its master list on digital innovation with impact on society from 24 countries

Predicting two more years of economic stagnation

Why Eurozone urgently needs the ECB to print and distribute at least €500 billion

Economic recovery won’t tackle youth unemployment problem

The Americans are preparing for the next financial crisis

The Irish Presidency bullies the Parliament over EU budget

Commission to decide on bank resolution issues

Cancer research put at risk by General Data Protection Regulation? The possible dangers of a data privacy EU mania

European Union disenchanted with Turkey

European Banking Union: no one is perfect

US – Russia bargain on Syria, Ukraine but EU kept out

Paris, Washington, IMF against Berlin and ECB on money and interest

How I met the Panda Woman

Why do thousands of migrants need to be drowned for Brussels to wake up?

Greece and Ukraine main items on EU28 menu; the course is set

China’s New Normal and Its Relevance to the EU

EU seeks foreign support on 5G from Mobile World Congress 2015 as the “digital gold rush” begins

The developing countries keep the world going

What do Europeans believe about the crisis and the possible way out?

UN Environment Assembly 2017: where the world convenes to #BeatPollution

Meet the Junior Enterprise network at JEWC 2014!

Irish Presidency: Not a euro more for EU budgets

Berlin vies for a Germanic European Central Bank

Mood changes in Europe in favour of growth and jobs

European Energy Union: Integration of markets and need for in-house energy production

Is Eurozone heading towards a long stagnation?

Brexit mission impossible: Theresa May was so desperate that had to appoint Boris Johnson as Foreign Secretary

Mobile young people create the European labour market of tomorrow

EU’s tougher privacy rules: WhatsApp and Facebook set to be soon aligned with telcos

Brexiteer May gets lip-service from Trump and Turkish promises from Erdogan

Dreaming of China

Horse meat runs faster than authorities…

Why France, Italy and the US press Germany to accept a cheaper euro and pay for Greece

The European Parliament x-rays the troika’s doings

Azeri natural gas will keep the EU warm soon

EU Parliament: ECB accountable for not supporting real economy

Does Switzerland really need more medical students?

Syria: A bloody tracer of Trump – Putin rapprochement

Reality Shock

Global Citizen – Volunteer Internships

French election: Will France vote for a reformed or no EU?

Merkel had it her way with the refugees & immigrants but can Greece and Turkey deliver?

EU Migrant Crisis: Italian Coast Guard Headquarters and Italian Navy to give host national opening addresses at Border Security 2016 in Rome

MWC 2016 LIVE: Stripe gives payments leg-up to startups in emerging markets

EU fight against tax-evasion and money laundering blocked by Britain

The EU pollution rights trading system frozen

MWC 2016 LIVE: T-Mobile US reveals 5G trial plans

Youth policy in Europe not delivering for young people

Climate change and health: public health awareness in an international framework

EU free-trade agreements with Canada and US: imagine the fallout if put to national referendums

Why growth is now a one way road for Eurozone

What our leaders hide from us

A European Discovers China: 3 First Impressions

EU Council: The US airlines may freely pollute the European air

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s