Safe Harbour Data Agreement Ruled Invalid by EUCJ

The European Court of Justice (EUCJ) ruled on Tuesday that the so-called Safe Harbour data protection agreement, which sought to ensure the secure transfer of data between Europe and the US, is ‘invalid’.

The case was first brought to the attention of the authorities over two years ago by the Austrian privacy campaigner Max Schrems. In April, law student Schrems organized 25,000 of his peers to rally against Facebook amid allegations they had breached EU privacy laws. The case placed particular emphasis on the Safe Harbour data agreement, which was first introduced in 2000 to protect information traveling across the Atlantic. The case eventually made its way to the EUCJ, where it was ruled invalid on the grounds that is did not adequately protect the privacy of user data.

Safe Harbour

Since EU law prohibits the movement of citizens’ data between EU member states and the US, the Safe Harbour legislation was established to ensure that the destination of data transfers provided ‘adequate’ privacy protection.

Safe Harbour was used by various US tech companies, including the larger data providers like Facebook, Google, Microsoft, and others to access data from their EU customers.

In a recent interview, Patrick Van Eecke, co-head of the global privacy practice DLA Piper said: “The advantage of Safe Harbour was that it functioned as a kind of ‘one stop shop’ allowing for the export of personal data to the US, whoever in Europe it came from, without the need to ask for consent, or to enter into bilateral agreements, over and over again.”

Max Schrems Safe Harbour
Max Schrems, the Austrian privacy activist who took his case against Facebook to the European Court of Justice, and won. / Photo: europe-v-facebook.org

What are the implications of the ruling?

Following the ruling, US tech companies will no longer be able to self-certify data transfers from Europe, and will instead have to establish “model contract clauses” for each individual transfer.

Essentially, the cessation of the Safe Harbour legislation will result in lots of paperwork for US companies, particularly for those that do not have complacency procedures in place. Many of the larger companies, including Facebook, Google, and Apple, are well on their way to establishing data centres within the EU, which would annul the need for such data transfers.

Monique Goyens, director general of the European Consumer Organisation said: “In essence, if Facebook, Google et al. wish to continue sending Europeans’ personal data over the Atlantic they will just have to guarantee an adequate level of protection in line with EU rules”.

Aside from the wider implications of the court’s decision, Facebook has received a lot of critical attention, since the original case held the tech giant responsible for breaching EU data laws. Because of the decision, Facebook’s own data protection practices will be investigated by the Irish data protection authority (DPA).

In response to this, a spokesperson from EUCJ said: “[The DPA must] decide whether…transfer of the data of Facebook’s European subscribers to the US should be suspended on the grounds that that country does not afford an adequate level of protection of personal data”.

The court’s decision will, however, have a greater impact on smaller tech companies, including VPN providers, based in the US. Many of these use US cloud-based services to out-source their data storage and processing requirements. Like the larger companies, they will have to submit model contract clauses, though this will be a greater financial and administrative burden.

Will there be another Safe Harbour?

Although the ruling on Safe Harbour has been in the pipeline for some time – it was due to be ratified by EU’s Advocate General’s opinion – the decision was reached sooner than expected and many are curious to know whether or not there will be new legislation to protect trans-Atlantic transfers.

Negotiations for a new agreement have been underway between the US and Europe since Edward Snowden’s NSA revelations in 2013, when it became clear to governments across the globe that data privacy cannot be taken lightly.

EU – US relations

Since then there has been growing tension between the US and Europe, with EU governments and governmental agencies attempting to limit US access to data, as well as encouraging their citizens to take legal action against US companies should they misuse data.

The EU even threatened the US with future vetoes on trade agreements, and several experts predict that the court ruling this week will only exacerbate an already strained relationship.

When addressing the new negotiations, Van Eecke said: “By tweaking and fine-tuning the existing Safe Harbour system and adding a layer of solid enforcement we could come to a workable solution. This is exactly what the government officials are working on, but which now risks to be impeded by the court’s decision.”

Aside from these concerns, critics have suggested that encryption may be the best solution for maintaining data transfers across the Atlantic until a new agreement is reached. Nigel Hawthorn, an encryption expert from cloud security company Skyhigh Networks, said: “Organisations need to investigate technologies such as encryption or risk being dragged through the courts by privacy advocates, customers or employees. Tokenising or encrypting data flows before they are sent to the cloud, and keeping the keys on premise, means all of these issues disappear. There is no ‘personal’ data in the cloud service once it has been encrypted or tokenised”.

Leave a Comment