News

EU Court Decides US Unsafe for Data

The European Court of Justice ruled yesterday that the Safe-Harbour data transfer agreement signed in 2000 between the US and EU is invalid.

by WAN-IFRA Staff executivenews@wan-ifra.org | October 7, 2015

This means American companies that transfer data from Europe to the US may need to readjust their strategy. The ruling is a victory for the Austrian activist Maximillian Schrems who is the plaintiff in the case and who has already brought two lawsuits against Facebook for violation of privacy.

Developed by the US Department of Commerce and the EU in 2000, the Safe Harbour agreement legalizes data transfer processes for American companies. It requires that companies self-certify that they will adhere to seven principles and the 15 frequently asked questions and answers outlined in the European Data Protection Directive.

“It’s a reaction to what happened in 2013,” said Oreste Pollicino, associate law professor from Bocconi University in Italy, referring to the revelation of US National Security Agency’s (NSA) widespread surveillance program by Edward Snowden. “It’s raising the bar of privacy protection and saying to the Americans: either you follow our rules or there is no space for you.”

The connection was particularly clear in an influential opinion written by Yves Bot, the European Court of Justice’s Advocate General, which was included in the 35-page judgment: “Once the personal data has been transferred to the United States, it is capable of being accessed by the NSA and other federal agencies, such as the Federal Bureau of Investigation, in the course of the indiscriminate surveillance and interception carried out by them on a large scale.”

Pollicino speculated that data centres may be built in Europe to keep EU citizen data on the continent. While agreeing that this possible outcome may sound archaic given the advent of cloud technology, he noted that this might be the “last chance” that the EU has in protecting privacy.

“It seems that the European institutions are attempting to transfer the physical concept of territoriality to the borderless world of the Internet,” said Elena Perotti, Public Affairs Officer for WAN-IFRA.

Besides invalidating Safe Harbour, the ruling empowers the 28 European member states to evaluate and decide how such data flow is regulated. English authority said that it is reviewing the judgement while the French authority has announced that it will be holding an emergency meeting tomorrow. Pollicino said there will be a period of uncertainty, but renegotiation is likely to take place soon between the US and the EU.

There are nearly 5,500 companies listed in the American government’s page as having self-certified, including tech giants such Apple and Facebook and smaller ones such as online learning company Coursera and retailer Staples. Some of the transferred data includes employee data, medical history, consumer emails and mobile numbers, financial data and purchase agreements.

Share via
Copy link