In a blow to thousands of U.S. companies, Europe’s highest court has invalidated a longstanding data-sharing agreement between the EU and the United States.
The ruling announced today affects U.S. companies that use the so-called Safe Harbor deal, which has been in effect for 15 years. The agreement allows for the free-flowing transfer of Europeans’ personal data between Europe and the United States as long as companies certify that that information is secure. Such data might include whatever’s needed to complete an online transaction, or to fetch a photo from an online service.
The decision stems from a lawsuit brought in Europe against Facebook by Austrian Max Schrems, who claimed Facebook can’t guarantee his information is secure in light of the NSA spying revelations based on the Edward Snowden leaks. Today’s ruling means individual data transfers can be evaluated by national data protection officials.
“No independent authority is able to monitor, in the United States, breaches of the principles for the protection of personal data committed by
public actors, such as the United States security agencies, in respect of citizens of the EU,” said the Court of Justice of the European Union in a statement about the ruling. The ruling was not unexpected because as we wrote last month, the legal adviser to the court had deemed Safe Harbor invalid because of “mass, indiscriminate surveillance” by the U.S.
“Governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it,” Schrems said in a statement on his website, Europe versus Facebook.
The Ireland data protection authority, which had cited Safe Harbor when it rejected the claims by Schrems about the security of his Facebook information, must now reconsider them. A Facebook spokeswoman told SiliconBeat that the company will respond to the “Irish Data Protection Commission as they look at how personal data is being protected in the U.S.”
That statement about U.S. data protection is key: Facebook points out that the case isn’t just about the company.
“What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows,” the spokeswoman said. Facebook said it has other legal means of transferring data from Europe to the U.S. besides Safe Harbor. But the company also said “it is imperative that EU and U.S. governments ensure that they continue to provide reliable methods for lawful data transfer.”
Big U.S. companies won’t be hurt by the ruling as much as smaller companies, according to Christian Borggreen, director of International Policy for the Computer & Communications Industry Association in Europe. Sixty percent of the companies that rely on Safe Harbor are small and medium companies, he told SiliconBeat in an email.
U.S. Secretary of Commerce Penny Pritzker has been negotiating with Vera Jourová, European consumer commissioner, on a new Safe Harbor framework. A Department of Commerce spokeswoman said the office would have a comment shortly.
Reacting to the ruling, San Francisco-based privacy advocate Electronic Frontier Foundation said on its website that the U.S. should realize that “dragnet surveillance” has economic and political consequences “as regulators, companies and individuals lose trust in Internet companies and services.”
Photo: Max Schrems, left, arrives with his lawyer Herwig Hofmann before a verdict at the European Court of Justice in Luxembourg, on October 6, 2015, on Schrems v Data Protection Commissioner of Ireland. Schrems claimed that the privacy of his data was violated by Facebook within the scope of NSA mass surveillance programs. (John Thys/AFP/Getty Images)
The post Facebook lawsuit sparks ruling that Europe, U.S. data-sharing is invalid appeared first on SiliconBeat.
