The European Commission’s US Safe Harbour decision is invalid, the European Court of Justice (ECJ) has held.
The Safe Harbour agreement enables companies to send personal data from Europe to the US with the understanding that EU standards of protection would be maintained. Safe Harbour has been used by companies for 15 years.
However, the decision this week in Maximillian Schrems v Data Protection Commissioner (Case C-362/14) drives a coach and horses through that agreement and could affect thousands of companies trading with the US.
The case centred on whether EU laws were broken by US companies allowing intelligence agencies access to personal data. An Austrian privacy campaigner asked the Irish Data Protection Commission to audit what material Facebook might be sharing with US intelligence agencies, in light of whistleblower Edward Snowden’s disclosure of the PRISM program. They refused on the grounds that safe harbour provides protection.
Mark Watts, IT partner at Bristows, says: “The ECJ ruling directly affects US tech service providers (for example, cloud providers) operating on the EU market and data-driven companies which need to transfer data to the US.
"These companies will need to start thinking about alternative data transfer arrangements. However, we think it is rather unlikely that enforcement action will be carried out in the immediate future—at least until EU data supervisory authorities have taken a position on the issue. We can also be hopeful that ongoing EU-US negotiations on a new ‘Safe Harbour 2.0’ will be speeded up."