The European Union has struck down ‘safe harbour’ rules which allowed the transfer of European data to the US
A decision by the Court of Justice of the European Union will lead to tougher privacy laws for EU citizens.
Previously, US companies such as Google and Facebook would transfer data received by their European headquarters in Ireland to data storage facilities in the US.
This data could be accessed and searched by the US Government through laws such as § 1881 FISA, which let them target data of “persons reasonably believed to be located outside the United States to acquire foreign intelligence information.”
However, under EU law data could only be sent to another country if they provided ‘adequate protection’ of this personal data.
Max Schrems, an Austrian law student, brought a case to the Irish High Court arguing that the transfer of data by Facebook to the US breached EU law.
Schrems took the case in the aftermath of the revelations by Edward Snowden that the US had engaged in mass collection of personal data of both US and foreign individuals.
He had initially complained to the Data Protection Commissioner, who had declined to investigate stating that the complaint was ‘vexatious and frivolous’.
The High Court ruled that Facebook had participated in mass surveillance by the US, arguing:
…only the naïve or credulous could really have been surprised… that personal data transferred by companies such as Facebook Ireland to its parent company in the United States is thereafter being capable of being accessed by the NSA.
The High Court then referred the case to the Court of Justice to decide whether there had been a breach of the EU law.
The Court of Justice ruled that the safe harbour agreement, which allowed companies to be listed as safe to transfer data to if they filled out a form online, was invalid.
While there are other ways for companies to be certified to receive data transfers from the EU, the principles established in this case are likely to set a high barrier.
Emails sent to the US, page views of American websites and orders from American companies are not affected, only the transfer of personal data.
For EU citizens this means better protection of their private data, as well as a larger role for Data Protection Commissioners to investigate complaints brought against foreign companies.
This decision is likely to result in heavy profit losses for US tech companies, at least in the short term.
A survey by Cloud Security Alliance in 2013 found that US cloud businesses expected to lose 10-20 per cent of their business due to privacy concerns about NSA data gathering, or $21.5-35bn in yearly profits.
The ‘Article 29 Working Party’ of EU Data protection officials recently confirmed that all transfers of data which had previously been certified under Safe Harbour were now unlawful.
If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.
It is unlikely that companies such as Facebook, Google and Microsoft will pull out of the EU entirely and risk losing millions of users. Instead they will probably set up data centres on the continent, outside the reach of the US Government.
It remains to be seen whether the EU and US will enter into a new agreement.
You can find a response to the ruling by Max Schrems here