Categories: Security

Top EU Court Invalidates ‘Safe Harbour’ Data-Sharing Agreement

The top court of the European Union on Tuesday has suspended an agreement that has allowed data-sharing between the EU and the US for the past 15 years, following months of increased tensions over spying and the protection of personal data.

The ruling by the Court of Justice of the European Union (CJEU) means that the more than 4,000 companies who depend upon the agreement, including major US companies such as Google, Facebook and Amazon, will need to rework their data-sharing practices in order to maintain compliance with the law.

Data-protection decision

The ruling was the court’s final decision in a data-protection case brought by 27-year-old Austrian law student Max Schrems against the Irish data protection commissioner.

That case, in turn, was spurred by Schrems’ concerns over the collection of his personal data by Facebook, whose European headquarters is in Ireland, and the possibility that the data was being handed over to US intelligence services.

However, the so-called “Safe Harbour” agreement has been in question since 2013, when former NSA contractor Edward Snowden published documents revealing broad surveillance programmes carried out by the US government, including the collection of data from US Internet companies.

Following those leaks, the EU has been in negotiations with the US for a new Safe Harbour agreement that would place limits on government authorities’ access to transferred data.

An agreement on a new deal is thought to be close, but the invalidation of the current agreement, in place since 2000, is likely to create difficulties for many trans-Atlantic companies in the short term.

‘Invalid’ law

The court declared that the previous Safe Harbour deal was “invalid” as it takes data on European citizens outside the protection of European authorities.

The deal was originally intended to facilitate data-transfers to the US, a country whose data-protection regime is less stringent than that of the EU.

In September, the advocate-general of the European Court of Justice said in a legal opinion that Safe Harbour should be invalidated in light of “mass and indiscriminate surveillance” by the US government, in reference to the data-collection practices revealed by Snowden.

Last week the US Mission to the EU in Brussels disagreed, saying the opinion rested upon “numerous inaccurate assertions about the intelligence practices of the US”.

Restructuring

The Washington, DC-based Computer & Communications Industry Association (CCIA) on Tuesday urged the European Commission to issue guidance for the companies that depend upon Safe Harbour in order to ease the “uncertainty” caused by the court’s ruling.

“We expect that a suspension of Safe Harbor will negatively impact Europe’s economy, hurt small and medium-sized enterprises, and the consumers who use their services, the most,” said CCIA Europe director Christian Borggreen.

Industry observers said the invalidation of Safe Harbour could incur significant costs for trans-Atlantic companies as they rework their data-handling infrastructure, with costs potentially including a massive expansion of Europe-based data centre capacity.

The CJEU’s ruling comes at a time when companies are finding it increasingly difficult to ensure the security of individuals’ personal data, even within national borders, with massive data breaches becoming increasingly commonplace and data-protection complaints growing rapidly.

However privacy campaigners have welcomed the move.

“In the face of the Snowden revelations, it is clear that Safe Harbor is not worth the paper its written on,” said Jim Killock, executive director of the Open Rights Group. “We need a new agreement that will protect EU citizens from mass surveillance by the NSA.”

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

View Comments

  • The real answer of course is for the US government to start respecting the privacy of their citizens and to stop ignoring the ideals of their founding fathers.

    If anyone was in any doubt, this ruling totally vindicates the action that Edward Snowden took revealing the actions and criminal behaviour of the US towards its own citizens and others with its mass surveillance . If anyone deserves a Noble Peace Price he does!

    Should add surveillance powers are required, but they have to be targeted and for a specific reason and overseen by the judiciary, like any search warrant.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago