EU data transfers to US ruled invalid
THE European Union (EU) would press ahead with efforts to revamp transfers of personal data to the US after an EU court ruled yesterday that the current system was illegal, European Commission vice-president Frans Timmermans said.
“We have been working with the US authorities to make data transfers safer for European citizens. In the light of the ruling, we will continue this work towards a new and safe framework for the transfer of personal data across the Atlantic,” he told a news conference. “We will come forward with clear guidance for national data protection authorities on how to deal with data transfer requests to the US in the light of the ruling.”
The highest EU court ruled yesterday that the Safe Harbour deal that allows thousands of firms to transfer data from Europe to the US was invalid in a landmark ruling following disclosure of mass US snooping.
Many firms, particularly tech firms, have said the agreement helps them get around cumbersome checks to transfer data between offices on both sides of the Atlantic, including payroll and human resources information and also lucrative data used for online advertising.
But the decision by the Court of Justice of the European Union could sound the death knell for the system, set up by the European Commission 15 year ago and used by more than 4,000 companies including IBM, Google and Ericsson.
The court said Safe Harbour did not sufficiently protect EU citizens’ personal data as US firms were “bound to disregard, without limitation” the privacy safeguards in cases in which they come into conflict with the national security, public interest and law enforcement requirements of the US.
“The Court of Justice declares that the commission’s US Safe Harbour decision is invalid,” the court said.
The ruling follows disclosure from former National Security Agency contractor Edward Snowden about the Prism program that allowed US authorities to harvest private data from big tech companies such as Apple, Facebook and Google.
“The EU’s highest court has pulled the rug under the feet of thousands of companies that have been relying on Safe Harbour,” said Monika Kuschewsky, special counsel at law firm Covington. “All these companies are now forced to find an alternative mechanism for their data transfers to the US.”
Without Safe Harbour, companies could be forced to draw up contracts establishing privacy protections between groups or seek approval from data protection authorities for information transfers to countries the EU deems to have lower privacy standards, including the US.
The court case stemmed from a complaint by Austrian law student Max Schrems, who challenged Facebook’s transfers of European users’ data to its American servers, fearing the risk of US snooping.
The commission separately demanded a review of Safe Harbour to ensure US authorities’ access to Europeans’ data would be proportionate and limited to what is absolutely necessary.
Washington and Brussels have been in talks for two years to try to come up with a revamped data transfer system that could allay Europe’s privacy concerns, and yesterday’s judgment heaps pressure on the European Commission to come up with a solution.
“The ruling creates uncertainty for the European and international companies that rely on Safe Harbour for their commercial data transfers, most of which are small- and mediumsized enterprises,” said Christian Borggreen, director at the Computer and Communications Industry Association, whose members include Facebook.
Mr Schrems filed his complaint to the Irish data protection commissioner, as Facebook has its European headquarters in Ireland. The case wound its way to the Luxembourg-based Court of Justice, which was asked to rule on whether national data privacy watchdogs could unilaterally suspend the Safe Harbour framework if they had concerns about US privacy safeguards.