EU high court invalidates key ‘Safe Harbor’ data pact

The European high court on Tuesday invalidated an important data privacy pact that allows U.S. and European Union businesses to legally funnel information across the Atlantic.

The decision comes as regulators are working to update the 15-year-old framework amid increased scrutiny of U.S. privacy practices following the revelations of government whistleblower Edward Snowden.

{mosads} Currently, under the so-called Safe Harbor agreement, U.S. companies can “self certify” that they meet the more-stringent European privacy protection laws in order to handle EU data.

Under the EU’s Charter of Fundamental Rights, citizens are guaranteed the protection of their personal data.

More than 4,000 U.S. firms rely on Safe Harbor rules to ensure their data transfers are legal, including the original defendant in the case, Facebook.

Those companies will now be left scrambling for alternatives, all of which critics say come with substantial challenges.

The European Court of Justice (ECJ) found that, due to its approach to domestic surveillance and the absence of legislation governing certain privacy rights, U.S. data practices did not meet the European standard — therefore rendering Safe Harbor invalid. 

“National security, public interest and law enforcement requirements of the United States prevail over the Safe Harbour scheme,” the court wrote. “The United States Safe Harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons.”

Business groups immediately criticized the ruling.

“The ruling creates uncertainty for the European and international companies that rely on Safe Harbor for their commercial data transfers, most of which are small and medium-sized enterprises,” Computer & Communications Industry Association Europe Director Christian Borggreen said in a statement.

“We expect that a suspension of Safe Harbor will negatively impact Europe’s economy, hurt small and medium-sized enterprises, and the consumers who use their services, the most,” Borggreen added.

“The weakening of the Safe Harbor agreement limits European consumers’ access to valuable digital services and impedes trade and innovation,” said Mike Zaneis, general counsel at the Interactive Advertising Bureau. “We urge the U.S. and EU to agree on new rules for the transatlantic transfer of data, taking into account the judgment.”

The ECJ opinion specifically pointed to a lack of legislation in the U.S. providing a pathway to legal redress for European citizens whose personal data is compromised.

Earlier this month, negotiators agreed to an “umbrella agreement” that would allow the two sides to exchange more data during criminal and terrorism investigations. The agreement is contingent upon the passage of a bill that would give EU citizens the right to seek legal redress for privacy violations in U.S. court.

Some observers suggested that the ruling should push both governing bodies to step up surveillance reform efforts.

“There is a clear need for the U.S. and Europe to set clear, lawful, and proportionate standards and safeguards for conducting surveillance for national security purposes,” said Jens-Henrik Jeppesen, director of European affairs at the Center for Democracy & Technology.

Over the weekend, Commerce Secretary Penny Pritzker indicated that no matter what the court’s decision, regulators would continue working together to clarify privacy standards.

“Following the court decision, we will continue to work with our partners in Europe to protect privacy while providing certainty for businesses,” Pritzker told The Wall Street Journal in a written statement, published Saturday.

The decision originated in a case brought against Facebook by Austrian privacy activist Max Schrems in light of the Snowden revelations. Irish regulators declined to take up the case, citing Safe Harbor, and Schrems brought his case to the ECJ.

Because the court invalidated Safe Harbor as a defense, the Irish supervisory authority is now required to examine Schrems’s complaint and decide if “transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.”