Top EU court rules Safe Harbour ‘invalid’ leaving US data transfers in tatters

Data transfer rules between the US and EU have been ruled invalid

Facebook, Google, Apple, Microsoft and hundreds of other US tech firms are facing major disruption to their operations after the European Court of Justice ruled that laws regarding data transfers from the EU to the US are invalid.

The ECJ adopted the same decision reached by the US Attorney General last month that the Safe Harbour data processing rules initiated in 2000 do not provide enough guarantees that data on EU citizens will remain safe when sent to the US.

The court’s Safe Harbour decision (PDF) could mean that tech companies have to store data in the EU, rather than transferring it to the US, or achieve certification for other, more stringent and time-consuming rules regarding data transfers.

“The US authorities were able to access the personal data transferred … in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security,” said the ruling.

Secondly, the court said that EU citizens had no legal redress to stop their data being misused in this way, and that the rules undermined the power of data protection authorities to rule on data transfers.

“The court finds that the Safe Harbour decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals,” it said.

However, discussions are already taking place between the EU and US to create a new Safe Harbour framework that could replace the now-defunct model.

The ECJ said that it reached its conclusion based on several factors, such as that the US authorities could always “prevail” over Safe Harbour to access data when they deemed it necessary.

Schrems’ revenge
The case was brought against Facebook by Austrian resident Max Schrems after the Edward Snowden revelations in 2013 showed how US agencies such as the National Security Agency (NSA) were able to harvest data on EU citizens.

Schrems took his case first to the Irish Data Protection Authority as this is where Facebook is headquartered in the EU. The Irish data protection authority rejected the case, arguing that the Safe Harbour deal with the US was binding.

However, Schrems appealed against this decision in the Irish high court, which in turn asked the ECJ for its opinion, leading to the latest ruling.

He was understandably upbeat after the ECJ’s decision.

V3 contacted Facebook for comment on the decision but had received no reply at the time of publication.

The ECJ decision was welcomed by Open Rights Group executive director Jim Killock, who called for new rules to protect EU citizens.

“In the face of the Snowden revelations, it is clear that Safe Harbour is not worth the paper it’s written on. We need a new agreement that will protect EU citizens from mass surveillance by the NSA.”

Act now or else
Christopher Jeffery, head of UK IT, telecoms and competition at law firm Taylor Wessing, warned that, while other measures governing US data transfers exist, such as binding corporate rules or model clauses, the decision will have far-reaching implications.

“There are alternatives to Safe Harbour, but for most companies they take time and money to put in place and that will be an unwelcome distraction,” he said.

Jeffery added that data protection regulators across Europe are likely to react differently to the ruling. Some, such as the UK or Ireland, will be more lenient, but others, such as Germany, could well act swiftly against infringing firms.

“The key message to businesses is to ‘get on it’ immediately. Getting model clauses signed, for instance, between affiliates and with key external suppliers should be relatively straightforward and helpful to show they are taking the issue seriously,” he said.

“Go for the low-hanging fruit early to show a desire to move towards fuller compliance. Organisations which are slow to react and are seen to be doing nothing risk attracting regulator attention and that is not likely to end well.”

If the article suppose to have a video or a photo gallery and it does not appear on your screen, please Click Here

6 October 2015 | 9:13 am – Source:


Leave a Reply

Your email address will not be published.