What the EU Safe Harbor ruling means for data privacy

The Court of Justice of the European Union on Tuesday invalidated a data transfer deal between the US and EU in a move that could have broad repercussions for thousands of American businesses.

The Court of Justice of the European Union has revoked a pact that allows thousands of businesses to transfer personal data on EU citizens to the US – a development with potentially huge implications for businesses on both sides of the Atlantic.

On Tuesday, the Luxembourg court invalidated the European Commission’s US-EU Safe Harbor agreement on the grounds that it did not protect data on EU citizens from being accessed by US government and law enforcement agencies.

The ruling is unlikely to cause transatlantic data flows to stop immediately, but it raises thorny issues for US organizations handling European data.

"Technically, each company that has self-certified for the Safe Harbor may be in violation of the European Data Directive," warned Bart Lazar, a privacy attorney with Chicago firm Seyfarth Shaw.

As a result of the ruling, said Mr. Lazar, such organizations will need to take immediate steps to ensure they are complaint with the data directive or run the risk of being investigated by the EU's data protection authorities.

Many American companies will also have to go through the process of registering or notifying EU data protection authorities about their data privacy practices – a bureaucratic process that Safe Harbor had eliminated.

Safe Harbor provided a mechanism for US companies to self-certify their compliance with Europe's data protection and privacy requirements. The pact was put in place to ensure that American companies handling Europeans' personal data applied the standards of care equal to those in the EU.

Thousands of companies including tech giants Google, Facebook, and Microsoft use Safe Harbor as a basis for transferring data to American servers.

In fact, Tuesday's ruling stemmed from a complaint by Austrian privacy activist Max Schrems who challenged Facebook’s practice of sending data outside of its servers in Europe.

In a complaint filed with the Irish Data Protection Commissioner, Mr. Schrems held that former National Security Agency contractor Edward Snowden’s revelations about the US government surveillance made it clear that EU data was not safe.

The Court of Justice agreed with that view, finding that US companies are "bound to disregard, without limitation" the EU’s privacy requirements. "The United States safe harbor scheme thus enables interference, by United States public authorities," it noted.

Responding to the ruling, a Facebook spokeswoman said it pertained to just one of the mechanisms available under European law for enabling essential transatlantic data flows.

"Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbor,” she said. “It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security."

In addition to invalidating Safe Harbor, the court gave the green light to data protection authorities in EU member countries to enforce the EU’s data protect rules as they see fit.

The ruling has predictably caused considerable concern about US companies being subject to tougher and more fragmented EU data security regulations.

"This decision could severely fragment the operations of global companies and undo much of the progress to strengthen the privacy and security of our mutual customers over the past decade," said Chris Pierson, general counsel and chief security officer at Viewpost, an online payments company.

Other critics of the ruling such as Sen. Ron Wyden (D) of Oregon likened the European court's decision to an act of protectionism against US global data processing services and Internet companies.

"By striking down the Safe Harbor Agreement, the European Union Court of Justice today called for open season against American businesses," he said in a statement that also called for surveillance reform in the US.

Even prior to the EU ruling, some trade groups have been calling on Congress to strengthen privacy protections for transatlantic data transfers.

Members of the Internet Infrastructure Coalition sent a letter last week to House Judiciary Committee Chairman Bob Goodlatte urging him to pass legislation that would provide EU citizens the right to contest misuse of their personal data in the US. The trade group described the bill as crucial to mending the frayed relationship between American tech companies and international consumers following the Snowden leaks.

"It is important to focus on the reason for the ECJ decision: U.S. government overreach, and not the actions of infrastructure providers,” the trade group said in a statement.

Many European officials such as First Vice President of the European Commission Frans Timmermans praised Tuesday's ruling but also said they would work with data protection authorities to create clear guidelines for data transfers.

"As citizens need robust safeguards and businesses need legal certainty," said Mr. Timmermans. "The guidance should help avoiding a patchwork of potentially contradicting decisions by the national data protection authorities and therefore provide predictability for citizens and businesses alike."