The European Court of Justice has ruled that the Safe Harbor agreement, a key deal enabling U.S. technology companies to extract European customer data, is illegal. The decision is seen as a direct effect of the Edward Snowden disclosures, which revealed that the U.S. National Security Agency monitors digital communications in Europe as part of a vast surveillance apparatus.
The Safe Harbor agreement was enacted in 2000 to give the U.S. tech industry a way to transfer data from European customers to American servers without explicit authorization from individual users or the countries where they reside. The ruling Tuesday comes weeks after Yves Bot, the top legal counsel at the European Court of Justice, admitted concerns that the Safe Harbor agreement enabled mass data collection without any European judicial oversight. Privacy rights groups and consumer advocates applauded the decision.
“We believe that information on the Internet should flow freely around the world, but this important freedom requires adequate data protection; Safe Harbor fails to provide this essential safeguard,” the Transatlantic Consumer Dialogue, an organization that represents more than 75 U.S. and European rights groups, said in a statement Tuesday. “It is also more than high time for the United States to enact a comprehensive set of data protection rules, to bring it in line with 100-plus other countries around the world.”
Facebook, Twitter, Google and other influential U.S. companies may now need to create separate European customer-only databases, rather than transferring that information across the Atlantic. And it doesn't concern just social media; at least 3,000 American companies that were protected by Safe Harbor now may need to follow up to 20 different national privacy regulations. Many of the companies that would be most affected by the change are believed to already have model contract clauses, agreeements allowing them to transfer data out of Europe, drawn up.
“The prospect of mass enforcement action against every U.S. company signed up to Safe Harbor, but without another compliance mechanism in place, instantly looks far-fetched, and we would expect the more pragmatic regulators (U.K., Ireland and others) to allow companies time to re-organize their compliance programs,” said Christopher Jeffrey, head of U.K. IT, telecoms and competition at law firm Taylor Wessing.
Microsoft, for instance, last year earned approval from European Union data protection officials for its cloud computing contract, partly in anticipation of Safe Harbor scrutiny.
“In countries like Germany, where Safe Harbor has long been regarded with suspicion, the regulators may not be so generous – they may feel concerns about Safe Harbor have been well-flagged and so businesses should have made alternative arrangements by now," Jeffrey said. "The key message to businesses is to 'get on it' immediately – getting model clauses signed, for instance, between affiliates and with key external suppliers should be relatively straightforward and helpful to show they are taking the issue seriously – go for the low-hanging fruit early to show a desire to move towards fuller compliance.”
The Snowden Effect
The European Court of Justice ruling came in response to a complaint from Max Schrems, a Facebook user and Austrian privacy activist who complained that, as a European, he had no legal recourse against PRISM and other mass surveillance programs exposed in 2013 by former NSA contractor Edward Snowden. Schrems first brought a privacy case against Facebook in Ireland, where the company's data centers are located. The court ruled that Facebook's data exportation was protected by Safe Harbor. Schrems appealed, bringing the decision Tuesday from the highest court in Europe. The European Court of Justice's ruling is final and cannot be appealed.
“This judgment draws a clear line. It clarifies that mass surveillance violates our fundamental rights," Schrems said in a statement. "This decision is a major blow for U.S. global surveillance that heavily relies on private partners. The judgment makes it clear that U.S. businesses cannot simply aid U.S. espionage efforts in violation of European fundamental rights."
There was no immediate reaction from American technology companies. Facebook previously said in a statement that "this case is not about Facebook."
"The advocate general himself said that Facebook has done nothing wrong," the statement said. "What is at issue is one of the mechanisms that European law provides to enable essential trans-Atlantic data flows. Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the U.S. from Europe, aside from Safe Harbor. It is imperative that EU and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security."
David Gilbert contributed additional reporting.