The European Court of Justice’s decision to rule the EU-US safe harbour agreement invalid is causing panic among some companies dependent on keeping data flows going ... but Google and Facebook are probably prepared for it.
Much to the satisfaction of those who have long condemned US data collection policies, the landmark decision in the Max Schrems case effectively says that personal data of EU citizens cannot be assumed to be stored in compliance with law when it is processed by a company in the US - regardless of whether or not companies have signed up to the agreement.
And there's more. According to Marc Dautlich, information law partner at Pinsent Masons: “Today’s ruling could have a significant impact on all EU-US data transfer mechanisms as it is likely other legal tools, beyond safe harbour, will come in for scrutiny too."
"That prospect creates uncertainty for businesses that, until now, will have believed the data transfer arrangements they have in place meet the standards required by EU law,” he added.
Some of those other options available to businesses are so-called “model clauses” which help them to meet the adequacy standards of EU privacy laws – something the US data protection regime as a whole fails to do.
Companies can also implement “binding corporate rules” (BCRs), said Dautlich, but both the model clauses and BCRs frameworks could now be under the microscope for the same reason as safe harbour, essentially because the US National Security Agency and other authorities can ride roughshod over them.
You alright, Big Tech?
Mike Weston, CEO of data science consultancy Profusion said the decision was not surprising, but “it will still have a profound impact on the global tech industry. American companies are going to have to restructure how they manage, store and use data in Europe and this will take a lot of time and money”.
“The biggest casualties will not be companies such as Google and Facebook – as they already have significant data centre infrastructure in countries such as the Republic of Ireland – it will be medium-sized, data-heavy tech companies that don’t have the resources to react to this decision," said Weston.
"Many of these businesses will reconsider how and whether they operate in Europe, which is bad news for everyone,” added Weston, who also warned about the possibility of “retaliation from US authorities”.
Facebook itself, one of the companies at the centre of this case, was at pains to point out it had done nothing wrong. “What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows,” said a Facebook spokesperson.
The Business Software Alliance (BSA) said it was very disappointed by the ruling: “We are very concerned that this decision will have a negative impact not just on providers of data services, but will also be harmful to consumers of those services,” said Thomas Boué, BSA policy director.
“Safe Harbor was flawed in principle and flawed in practice,” said Joe McNamee, executive director of European Digital Rights group, EDRi. “After last year’s data retention ruling, this is the second time in two years that the ECJ has struck down an instrument that the European Commission had spent years defending.”
“In reality, however, the case is much deeper than 'just' mass surveillance. The European Commission has never had the political courage to recognise that Safe Harbor was never safe. Even before the Snowden revelations, reports from the Commission itself and from independent research showed over and over again that the entire framework was inadequate,” said McNamee.
EU and US consumer organisations, represented by the Transatlantic Consumer Dialogue (TACD), a forum of US and EU consumer organisations, along with BEUC, the European consumer rights group, were delighted with the ruling.
The European Telecoms and Networks Operators (ETNO) organisation said it had been pointing to the weaknesses of the Safe Harbour framework for years.
“Our digital economy needs legal certainty in this field, especially in light of the significance of transatlantic data flows. Future arrangements should guarantee a high level of data protection and address the opportunities and challenges of the digital era,” said ETNO spokesman Alessandro Gropelli.
Liberal Democrat MEP Catherine Bearder called the ruling “a historic victory against indiscriminate snooping by intelligence agencies, both at home and abroad”.
German MEP, and the European Parliament’s 'Mr Data Protection', Jan Philipp Albrecht, pointed out that the flawed deal had allowed data transfers for more than a decade: “Safe Harbor enabled masses of Europeans’ personal data to be transferred by companies such as Facebook ... over the past 15 years."
"With today’s verdict it is clear that these transfers were in breach of the fundamental right to data protection," added Albrecht. "It is now up to the Commission and the Irish data protection commissioner to immediately move to prevent any further data transfers to the US in the framework of Safe Harbor.”
The head of the European Parliament’s Civil Liberties Committee, Claude Moraes, called for the current safe harbour framework to be “immediately suspended”, adding that he welcomed the European Court of Justice decision "as it finally backs up the repeated calls from the European Parliament for the suspension of the ... framework on the grounds that it does not ensure the adequate level of protection required by EU data protection law".
“The Snowden disclosures threw into the spotlight these inadequacies in particular, as it does not provide any protection from mass surveillance activities as it contains a national security exemption which has never been clarified," continued Moraes.
"However, there were also concerns prior to the Snowden revelations given that it is a non-binding agreement which lacks compliance by companies and gives no possibility for citizens to enforce their rights,” he added.
However, the Computer & Communications Industry Association (CCIA), which “represents companies that depend on predictable rules for cross border data flows”, disagrees. “We expect that a suspension of Safe Harbor will negatively impact Europe’s economy, hurt small and medium-sized enterprises, and the consumers who use their services, the most,” said Europe Director Christian Borggreen.
“We urge the European Commission to immediately issue guidance to companies that depend on Safe Harbor for their commercial data flows. It is imperative that the EU does not become a disconnected island in a global digital economy.” ®