Europe’s Top Court Declares 'Safe Harbour' Invalid

The Safe Harbour agreement which allows data on EU citizens to be transferred to and stored in the US has been declared invalid by the European Court of Justice, in a landmark ruling that could have far-reaching repercussions for American cloud computing companies and their customers.

Safe Harbour was devised at the turn of the millennium as a way for US firms to store data on Europeans even though the data protection regimes of the two regions are at odds.

However, it started to unravel when law student Max Schrems complained to the Irish Data Protection Commission that his Facebook data may be at risk from NSA snoopers, under the PRISM scheme revealed by Edward Snowden in 2013.

The watchdog refused to investigate, citing Safe Harbour, so Schrems contested and took the case to the highest court in Europe.

Today’s ruling will mean the Irish watchdog has to re-investigate the case “with all due diligence” and decide whether the transfer of Europeans’ Facebook data to the US “should be suspended on the ground that that country does not afford an adequate level of protection of personal data.”

But it also has wider implications for other US cloud firms which regularly store European customers’ data outside the EU – adding unwanted extra cost and paperwork to contracts.

In this regard it’s not only going to impact US tech giants, many of which have European datacenters anyway, but also UK and European firms which outsource IT work to US-based service providers.

“This could potentially impact global trade as organizations would likely be required to re-structure business functions, outsourcing arrangements, business partnerships and re-locate IT assets to ensure processing of personal information does not take place inside the US,” warned KPMG privacy practice lead, Mark Thompson.

“For global organizations this would be a substantial undertaking and the associated costs and practicalities involved could be very significant.”

CBI director for competitive markets, Matthew Fell, added that the ability to transfer data easily and securely between the two regions was critical for businesses in today’s digital economy.

“Businesses will want to see clarity on the immediate implications of the ECJ’s decision, together with fast action from the Commission to agree a new framework,” he argued.

“Getting this right will be important to the future of Europe’s digital agenda, as well as doing business with our largest trading partner.”   

BSA, the Software Alliance, said it was “very disappointed” by the decision and expressed concern it “will have a negative impact not just on providers of data services but will also be harmful to consumers of those services.”

Mike Weston, CEO of data science consultancy Profusion, warned that the ruling will hit particularly hard mid-sized, data heavy tech firms without the resources to react – many of which may reconsider whether to operate in Europe at all.

“There is also a risk that this move opens the door to retaliation from US authorities. European companies have a significant amount to lose if the US increases its data standards and requirements,” he added.

What’s Hot on Infosecurity Magazine?