A top European court has suspended the 15-year-old Safe Harbour data-sharing agreement between the Europe and the US.
The deal, which was made in 2000, allowed US firms to get data from Europe without breaking the continent’s data sharing rules.
The EU’s data protection directive says that personal data can’t be moved out of EU jurisdictions without there being adequate privacy protections in place. To get around the data protection regulations, the deal allowed those in the US to self-certify that they weren’t breaking any rules.
The Court of Justice of the European Union (CJEU) said that data sharing under the agreement is “invalid”.
The ruling comes following a complaint from Austrian Max Schrems, who, correctly according to the court, claimed that following Edward Snowden’s revelations of NSA mass surveillance that the agreement didn’t protect his privacy. His complaint related to his Facebook data being transferred from the company’s Irish subsidiary to servers where it is processed in the US.
In particular he stated that the law and practices of the US did not offer enough protection against surveillance of data transferred to the US. Schrems said, in a long statement posted online, that he hopes it will be a “milestone when it comes to online privacy” and that “it clarifies that mass surveillance violates our fundamental rights”
The court said that no provision of the Europe’s data laws “prevents oversight” of whether a person’s personal data is transferred to a third country.
“The Court [states] that legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life,” a press release detailing the judgement says.
— Max Schrems (@maxschrems) October 6, 2015
The CJEU decision has been welcomed by transparency and anti-surveillance groups. The Open Rights Group said that Safe Harbour “is not worth the paper it’s written on” and that a new agreement “that will protect EU citizens from mass surveillance by the NSA” is needed.
Joe McNamee, the executive director of European Digital Rights, said that Safe Harbour was “flawed in principle and flawed in practice”.
While Tim Berners-Lee’s World Wide Web Foundation stated that the decision shows that the web is a playing field that allows ordinary citizens to take on giants and international laws to improve their rights.
“Today’s Judgment puts people’s fundamental right to privacy before profit. Without effective safeguards for privacy, the Web as we know it could wither and die,” said the Web Foundation’s Renata Avila.
Avila continued to say that it is hoped the ruling will mean countries review their data protection and exchange policies. “Following today’s ruling, new safeguards must now urgently be put in place that protect the Web as it should be, a secure and private space where people can start businesses, research confidential topics or just chat with friends without the fear of being subjected to unwarranted government snooping.
— EPP Group (@EPPGroup) October 6, 2015
However, techUK, which represents companies working with technology, said it will cause “confusion and uncertainty” for those businesses who transfer data between the two continents.
The deputy CEO of techUK, Antony Walker, said: “This is a big issue for many small businesses in particular who will be faced with time the consuming and costly task of working through the full legal implications.
“The ability to transfer data lawfully across borders is fundamental for a growing and dynamic digital economy. Businesses need stability and certainty in the legal framework that enables this to happen.”