The laws that govern how customer data can be shared between Europe and the United States have been ruled invalid by a European court today.
Called “Safe Harbor,” the laws allow for technology companies like Facebook and Microsoft to move user data between data centers if they guarantee that it will receive an “adequate level” of protection.
— Aurélie Mayembo (@aureliemayembo) October 6, 2015
That might just get a lot tougher for US-based technology companies, thanks to today’s decision in the EU Court of Justice.
The announcement came about due to a court case from Max Schrems, an Austrian privacy activist, who bought a case against Facebook in Ireland claiming that his privacy had been violated by the NSA’s mass surveillance programs.
The European Court of Justice ruled that Max Schrems’ case is valid and that data being transferred between the European Union and the United States can be suspended by “data protection authorities.”
Previously Schrems’ case was shrugged off by Irish authorities under Safe Harbor.
The ruling says that the Irish authorities must examine the complaint and decide whether “transfer of the data of Facebook’s European subscribers to the United States should be suspended” as it does “not afford an adequate level of protection of personal data.”
EU-US DATA TRANSFER SYSTEM CAN BE SUSPENDED BY NATIONAL DATA PROTECTION AUTHORITIES – TOP EU COURT
— Joost Schellevis (@Schellevis) October 6, 2015
This means that the Safe Harbor agreement is invalid and could have wide-reaching implications. The court reportedly said that the US’ outlines for the protection of that data was not adequate.
The United States has vehemently denied claims that it used “indiscriminate surveillance” by saying that it only ever used PRISM to collect data on “particular foreign intelligence targets” rather than performing blanket collection.
Previously Yves Bot, the advocate general of the European Court of Justice said that the Safe Harbor agreement did not provide “sufficient checks” on how data would be used.
Today’s ruling could mean that technology companies in the United States are forced to keep customer data within Europe, meaning they’ll likely need to further build out dedicated European operations to support future changes.
It’s great news for individual privacy, as data will likely now be held to higher standards of security against foreign intelligence, but makes life difficult for overseas technology companies to make services available without a local presence.
This isn’t the end of the case, as it now needs to proceed through Ireland’s court to investigate whether data transfer to the United States should be suspended.
Update 6/10/15: Facebook contacted us with comment, saying that “This case is not about Facebook. The Advocate General himself said that Facebook has done nothing wrong” and that “What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows.”
“Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbor. It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security.”
Image credit: Shutterstock