Facebook, Google, Oracle and US tech companies will need to “urgently review” their data transfer arrangements from UK and Europe or risk breaching data protection laws, following this morning’s landmark court ruling. (See also: what is a graph database?)
The ruling puts an end to a longstanding legal battle between a privacy campaigner, Max Schrems, and social network Facebook. Schrems made several complaints against Facebook’s privacy laws and filed them to an Irish court - as Facebook is officially headquartered in Dublin. When the Irish Data Protection Commissioner refused to uphold Schrems' complaints, he requested a judicial review and the case has since escalated to the highest court in Europe. [You might also like: What is microservices?]
What is Safe Harbour?
Over 4,000 US companies rely on the Safe Harbour framework for the transfer of personal data from the EU to the US. It is a self-regulatory agreement that promises to ensure that customer data doesn't leave the company in control of it.
But the data protection agreement has suffered criticism following Edward Snowden’s NSA and GCHQ surveillance revelations. When EU citizens discovered that Safe Harbor certified companies - which promised to protect customer data - allowed government authorities to access their data, the European Parliament stepped in to condemn the practices and aired concerns over the protection offered under the agreement.
This morning’s ruling against Safe Harbor deems the method of data transfer invalid and this could have a significant effect on US company’s business from UK and European customers, a data protection expert at law firm Kemp Little explains.
“Such a ruling by the European courts could have significant political and financial impact as many business will have to hastily implement an alternative method of ensuring compliance with EU data protection laws, such as executing model clauses between the data exporter and data importer or implementing binding corporate rules between group companies," says Mahisha Rupan.
“Failure of EU businesses to put in place one of these alternative solutions for sharing personal data with the US could mean that these companies are in breach of EU data protection laws.
“While US tech companies are unlikely to be bound by EU laws and thus unlikely to be in breach of European data protection laws, they may find themselves losing business from EU customers,” she says.
Fortunately, the US Commerce Secretary is working with her EU counterparts to ensure that individuals are protected while businesses have certainty around the future of their data transfers, which Rupan says implies a new and reformed Safe Harbor package is imminent.
The EU Commission and the US Department of Commerce have been negotiating Safe Harbour reform for several years and this morning’s ruling is likely to increase pressure to expedite these negotiations.
Why is this ruling surprising?
There are significant political and economic consequences of declaring Safe Harbor invalid, and it seemed unlikely that the European courts would make such a bold move.
Further, the quick ruling - just one week after legal adviser to state government, the Advocat General, released his opinion on Safe Harbor - is not in line with typical European court litigation.
As Rupan explains: “Typically, the European Court delivers its ruling approximately three to six months after publication of the Advocate General’s opinion. While the exact reasons for the momentum of the judgement are unclear, it will certainly increase pressure on the ongoing renegotiations of the US-EU Safe Harbor Framework between the European Commission and the U.S. government, which appear to have stalled.”
Post Snowden and Schrems: what steps should my business take?
The European Commission has campaigned for Safe Harbour reforms due to its self regulatory nature for three years, so while the definitive ruling is a surprise, the opinions of the state advisers are not.
"The Schrems case will help to bolster on-going negotiations between the EU Commission and the US Department of Commerce for reforms to the Safe Harbour framework. Given the crippling effect ending Safe Harbor would have on US businesses, especially those in tech sector, this case is likely to help accelerate a deal being achieved for Safe Harbor reforms.," says Rupan.
But Safe Harbor is not the only way European firms can transfer personal data to the US. There are alternative ways of ensuring adequate protection for personal data relating to EU citizens, such as implementing binding corporate rules or executing “model clauses” contract between the data exporter and data importer.
This could prove troublesome, Rupan explains: "The binding corporate rules only works for intra-group data transfers and model clauses will need to be put in place between each data exporter and each data importer which may be prove to be impractical where a US company has thousands of EU-based customers.
"Consent of the individual may also be used to justify certain transfers to the US, but consent is tricky as it must be specific, informed and freely given."
In a statement, privacy advocate Schrems said: "I very much welcome the judgement of the Court, which will hopefully be a milestone when it comes to online privacy. This judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible.
"The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it. This decision is a major blow for US global surveillance that heavily relies on private partners. The judgement makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights.
"At the same time this case law will be a milestone for constitutional challenges against similar surveillance conducted by EU member states."