Ride the Lightning

EU's Top Court Holds Safe Harbor Agreement Invalid – What's Next?

October 13, 2015

As Naked Security and many others reported last week, on October 6th the European Court of Justice (ECJ) ruled against the transatlantic Safe Harbor agreement which has allowed companies to transfer European citizens' personal data to the US.

The decision will affect thousands of companies which had been transferring a wide range of information under an agreement that allowed them to circumvent Europe's much stricter privacy rules.

The agreement had been under fire since Edward Snowden began revealing how European data stored in the U.S. was not safe from the NSA.

Large tech firms including Apple, Facebook and Twitter may feel the impact of the decision since it appears likely that they will now have to abide by the individual data privacy regulations in each of the member states of the European Union.

For American businesses – or European business transferring data to the U.S. – the only easy path to avoiding a nightmare is to create data centers in Europe which would allow EU data to stay within the union. There is concern that some countries could even follow Russia's initiative with its mandate that its citizens' data must stay within its borders.

The ruling comes after law student and privacy advocate Max Schrems brought a case against Facebook, saying his privacy had been violated by the NSA's mass surveillance programs.

Though he is Austrian, Schrems brought the case in Ireland as the social network has its European headquarters in Dublin. After an initial unsuccessful skirmish with the Irish Data Protection Commissioner, Schrems successfully argued before High Court Justice Gerard Hogan, who ruled that he could pursue his case further as the NSA's aims and methods were not compatible with the Irish constitution, irrespective of whose data the agency may or may not have been spying upon. Justice Hogan escalated the case to the European Court of Justice.

The ECJ decided to overturn the Irish Data Protection Commissioner's initial ruling, saying that the Commissioner must now examine Schrems' complaint "with all due diligence." Once it has concluded its investigation, it must decide whether transferring the data of Facebook's European subscribers to the U.S. should be suspended on the ground that the U.S. does not afford an adequate level of protection of personal data.

The ruling of the ECJ is final and cannot be appealed, though many are optimistic that the EU and the U.S. can now work together to "find a [political] solution" that will be clear and consistent across all member states. The dust hasn't settled on this one, but there's a lot of scrambling going on, hoping to come to a resolution between the members of the EU and the U.S. but preparing for the possibility that this effort will fail.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
www.linkedin.com/in/sharondnelson