Modern field guide to security and privacy

What the EU Safe Harbor ruling means for data privacy

The Court of Justice of the European Union on Tuesday invalidated a data transfer deal between the US and EU in a move that could have broad repercussions for thousands of American businesses.

Leonhard Foeger/Reuters
Austrian privacy activist Max Schrems originally brought a case against Facebook that led to an EU court invalidating the Safe Harbor agreement. He's seen here at an earlier court appearance in April in Vienna.

The Court of Justice of the European Union has revoked a pact that allows thousands of businesses to transfer personal data on EU citizens to the US – a development with potentially huge implications for businesses on both sides of the Atlantic.

On Tuesday, the Luxembourg court invalidated the European Commission’s US-EU Safe Harbor agreement on the grounds that it did not protect data on EU citizens from being accessed by US government and law enforcement agencies.

The ruling is unlikely to cause transatlantic data flows to stop immediately, but it raises thorny issues for US organizations handling European data.

"Technically, each company that has self-certified for the Safe Harbor may be in violation of the European Data Directive," warned Bart Lazar, a privacy attorney with Chicago firm Seyfarth Shaw.

As a result of the ruling, said Mr. Lazar, such organizations will need to take immediate steps to ensure they are complaint with the data directive or run the risk of being investigated by the EU's data protection authorities.

Many American companies will also have to go through the process of registering or notifying EU data protection authorities about their data privacy practices – a bureaucratic process that Safe Harbor had eliminated.

Safe Harbor provided a mechanism for US companies to self-certify their compliance with Europe's data protection and privacy requirements. The pact was put in place to ensure that American companies handling Europeans' personal data applied the standards of care equal to those in the EU.

Thousands of companies including tech giants Google, Facebook, and Microsoft use Safe Harbor as a basis for transferring data to American servers.

In fact, Tuesday's ruling stemmed from a complaint by Austrian privacy activist Max Schrems who challenged Facebook’s practice of sending data outside of its servers in Europe.

In a complaint filed with the Irish Data Protection Commissioner, Mr. Schrems held that former National Security Agency contractor Edward Snowden’s revelations about the US government surveillance made it clear that EU data was not safe.

The Court of Justice agreed with that view, finding that US companies are "bound to disregard, without limitation" the EU’s privacy requirements. "The United States safe harbor scheme thus enables interference, by United States public authorities," it noted.

Responding to the ruling, a Facebook spokeswoman said it pertained to just one of the mechanisms available under European law for enabling essential transatlantic data flows.

"Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbor,” she said. “It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security."

In addition to invalidating Safe Harbor, the court gave the green light to data protection authorities in EU member countries to enforce the EU’s data protect rules as they see fit.

The ruling has predictably caused considerable concern about US companies being subject to tougher and more fragmented EU data security regulations.

"This decision could severely fragment the operations of global companies and undo much of the progress to strengthen the privacy and security of our mutual customers over the past decade," said Chris Pierson, general counsel and chief security officer at Viewpost, an online payments company.

Other critics of the ruling such as Sen. Ron Wyden (D) of Oregon likened the European court's decision to an act of protectionism against US global data processing services and Internet companies.

"By striking down the Safe Harbor Agreement, the European Union Court of Justice today called for open season against American businesses," he said in a statement that also called for surveillance reform in the US.

Even prior to the EU ruling, some trade groups have been calling on Congress to strengthen privacy protections for transatlantic data transfers.

Members of the Internet Infrastructure Coalition sent a letter last week to House Judiciary Committee Chairman Bob Goodlatte urging him to pass legislation that would provide EU citizens the right to contest misuse of their personal data in the US. The trade group described the bill as crucial to mending the frayed relationship between American tech companies and international consumers following the Snowden leaks.

"It is important to focus on the reason for the ECJ decision: U.S. government overreach, and not the actions of infrastructure providers,” the trade group said in a statement.

Many European officials such as First Vice President of the European Commission Frans Timmermans praised Tuesday's ruling but also said they would work with data protection authorities to create clear guidelines for data transfers.

"As citizens need robust safeguards and businesses need legal certainty," said Mr. Timmermans. "The guidance should help avoiding a patchwork of potentially contradicting decisions by the national data protection authorities and therefore provide predictability for citizens and businesses alike."


You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to What the EU Safe Harbor ruling means for data privacy
Read this article in
QR Code to Subscription page
Start your subscription today