The European Court of Justice has ruled that Safe Harbour — the data sharing agreement between the US and EU — is invalid. But what does this actually mean for the people of Europe and the companies they interact with on a regular basis? WIRED spoke with legal and privacy experts about what could happen in the wake of the latest ruling in the Max Schrems case.
What was the Safe Harbour agreement?
Safe Harbour was a deal between the US and the EU that allowed for the easy transfer of personal data.
It was established because US data protection laws didn’t match EU standards. EU data protection laws state that companies can only transfer EU citizens’ data outside of member states if the destination country has data protection laws that match those of the Union.
The US doesn’t have blanket data protection laws in place though. It has “sectoral” laws that address data protection in some areas — like the financial industry and children’s data — but it doesn’t have one federal law regulating data collection and storage. The US constitution offers some protections for US citizen data, but has no such defence for foreign citizens.
Until 2000 this meant EU personal data couldn’t be shared with the US. So both parties drew up the Safe Harbour agreement to allow licensed companies to carry data back to the US. There are currently over 4,000 companies registered under the Safe Harbour agreement, including Facebook, Google and Twitter.
In the wake of Edward Snowden‘s revelations about the NSA‘s mass surveillance operations, this law came under fire — with Austrian law student Max Schrems bringing the case to the European Court of Justice.
What companies operated under Safe Harbour?
The 4,000 or so businesses that were part of the Safe Harbour agreement include the major tech companies Airbnb, Apple, Google, Facebook, LinkedIn, Twitter and Yahoo. Also big businesses like Adobe, Coca-Cola Enterprises, Ford Motor Company and eBay were signed up. The full list of companies is available to read here.
Why is this ruling important?
The ruling means the US and EU will have to renegotiate a data sharing agreement. For companies to continue operating across the Atlantic, the EU will either have to bend to the US, or the US will have to draft stronger data protection laws.
“It’s a historical judgement. Safe Harbour shouldn’t have been agreed to 15 years ago,” Anna Fielder, Privacy International‘s chair of the board, told WIRED.
“There’s a lot of data transfers, not just between the EU and the US but between the EU and lots of other countries. And those countries don’t have special arrangements like Safe Harbour. They have to operate under EU legislation,” Fielder explained.
What does it mean for Safe Harbour licensed companies?
Businesses that relied on the Safe Harbour agreement for processing and storing their data in the US will need to rethink. Solutions could involve drafting new contractual agreements with users; encrypting US servers; or building EU-based servers. Companies will still be able to transfer data if they have the free and informed consent of users, and if it’s in interest of the public or an individual.
This is the second ruling about data protection from an EU court in recent weeks. The first ruled that businesses had to comply with the laws of member-countries as well as those of the EU when processing data across nations. At the end of the year the EU is expected to roll out the block-wide EU Data Protection Reform that will override these national regulations — and companies will have to rethink their policies all over again.
Data storage is going to be a “major issue” for companies in the coming months, Luke Scanlon, a technology lawyer at Pinsent Masons, told WIRED.
“The EU and UK want to be seen as leading destinations for innovators. There has to be a balance of course between protecting privacy and enabling digital services. But the more restrictions that are put on digital services, access to data, and using technology across borders, the more encouragement there is for innovators to set up outside of the EU,” Scanlon said.
Will there be an effect on the average user?
In the short term the ruling shouldn’t affect day-to-day use of the products from Safe Harbour-licensed companies. But the costs of figuring out where these businesses can now process and store data could be incurred by users.
“Ultimately where do costs usually hit — it’ll hit the customer,” Scanlon explained.