The data-sharing agreement known as Safe Harbor was ruled invalid on Oct. 6 by the Court of Justice of the European Union, with widespread ramifications for organizations ranging from cloud computing providers to multinational companies that move information across the Atlantic.
The agreement, reached in 2000, prohibits the transfer of data outside the EU to third-party nations that don't meet the EU test of “adequacy” with regard to privacy protections. The Safe Harbor Decision enabled U.S. organizations to “self certify” that their data protection systems met the EU adequacy test so they could lawfully transfer personal data from the EU to the U.S. for the purposes of storage and processing.
The decision striking down Safe Harbor came about after an Austrian law student, Maximillian Schrems, lodged a complaint that his personal data was being unlawfully processed by Facebook in the U.S. His claims were based on revelations by Edward Snowden regarding cooperation between the National Security Agency (NSA) and companies such as Facebook to access the personal data of social media users.
In its widely anticipated ruling, the court agreed. “The access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data,” Yves Bot, the court's advocate general, said in his opinion. Bot added that the agreement should have been suspended immediately following Snowden's revelations about the NSA.
The Court found that the Safe Harbor agreement compromised EU citizens' right to respect for private life, compromised the fundamental right to effective judicial protection and denied national supervisory authorities their powers to investigate breaches of the principles behind data protection.
Stewart Room, a partner at PwC Legal, said the case has revealed a significant flaw in the data protection regulatory framework: that the European Commission can adopt decisions which are binding on the national data protection regulators but the regulators still had a duty to investigate serious complaints.
Others expressed concern over the implications of the EU court's decision. “With the adoption of the cloud and the loss of safe harbor, companies face harsh requirements on the location and protection of data stored by them,” said Fred Kost, senior vice president at HyTrust.
– additional reporting by Tom Reeve, senior reporter, SC UK