In a decision that affects worldwide data flows, the European Union Court of Justice has ruled that the EU-U.S. Safe Harbor framework that allows for the transfer of data from EU countries to non-EU countries is invalid because the U.S. cannot adequately protect its privacy.
Two weeks ago, a senior European Union legal official advised the EU court that the U.S. cannot ensure adequate privacy protections of a European Facebook subscriber's information transferred to U.S. servers, citing mass U.S. government (NSA) surveillance revealed by leaker Edward Snowden and saying that the 2000 safe harbor agreement between the EU and the U.S. was invalid.
"[T[he United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way
incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security," the court ruled. "Also, the Commission noted that the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased."
The European Commission is currently negotiating with the U.S. on some of the safe harbor's "shortcomings."
"The Safe Harbor agreement has been the cornerstone of the transatlantic digital economy since before global companies like Facebook were founded," said Daniel Castro, VP at the Information Technology & Innovation Foundation. "In the wake of the Snowden disclosures, European citizens and policymakers are understandably concerned about privacy safeguards in U.S. law. But abruptly revoking the Safe Harbor agreement was the wrong way to address those concerns. It will disrupt not just the thousands of U.S. and European companies that currently depend on the Safe Harbor to do business across the Atlantic, but also the broader digital economy. Aside from taking an ax to the undersea fiber optic cables connecting Europe to the United States, it is hard to imagine a more disruptive action to transatlantic digital commerce. Policymakers in the United States and EU should work together swiftly to implement an interim agreement so that we do not shut down transatlantic digital commerce overnight."
The Computer & Communications Industry Association, which said its members depend on "predictable rules for cross border data flows," was also clearly concerned.
“The ruling creates uncertainty for the European and International companies that rely on Safe Harbor for their commercial data transfers, most of which are small and medium-sized enterprises," said CCIA Europe Director Christian Borggreen. "We expect that a suspension of Safe Harbor will negatively impact Europe’s economy, hurt small and medium-sized enterprises, and the consumers who use their services, the most.”
“We urge the European Commission to immediately issue guidance to companies that depend on Safe Harbor for their commercial data flows," he said.
And as for coming up with a new safe harbor agreement: "We encourage EU and U.S. negotiators to quickly present a new, safer Safe Harbor framework to ensure predictable rules to the benefit of European consumers and companies, addressing the concerns of the court.”
Consumer Groups essentially said "good riddance" to the agreement and argued that it was a signal the U.S. needs to pass privacy legislation.
The TransAtlantic Consumer Dialog (TACD), whose members include the Center for Digital Democracy, said in a statement that its members "strongly welcome" the court's decision. "We, and our members, have repeatedly pointed out that the Safe Harbour agreement is not an effective way to protect the privacy and rights of Europeans," the group said in a statement. "Safe Harbor, agreed between the US and the EU in 2000, is a poorly enforced voluntary system based on companies’ self-certification to the U.S. Department of Commerce that they protect EU consumer data. But the program has been widely criticized by experts and advocates across the Atlantic."
"It is also more than high time for the United States to enact a comprehensive set of data protection rules, to bring it in line with 100 plus other countries round the world," they said. "In the absence of legislation, the U.S. cannot offer the EU any assurance that there will be adequate protection for the personal data stored or used by US companies."
Harriet Pearson, a partner in global law firm Hogan Lovells’ Cybersecurity practice, said the court's decision was an "unwelcome development" but not the end of the world, particularly given the EU-U.S. negotiation on a next-gen safe harbor.