Technology, legal and privacy experts explain full implications of the ECJ’s decision to suspend the Safe Harbour data sharing agreement between EU and US
Earlier this week, the top court of the European Union has suspended an agreement called ‘Safe Harbour‘ that has allowed data-sharing between the EU and the US for the past 15 years, following months of increased tensions over spying and the protection of personal data.
The ruling by the Court of Justice of the European Union (CJEU) means that the more than 4,000 companies who depend upon the agreement, including major US companies such as Google, Facebook and Amazon are affected.
But what are the implications for the technology industry? Privacy campaigners, industry figures and legal experts explain.
European Union First Vice President Frans Timmermans
“The Court confirms the need of having robust data protection safeguards in place before transferring citizens’ data. I see this as a confirmation of the European Commission’s approach for the renegotiation of the Safe Harbour. We have already been working with the American authorities to make data transfers safer for European citizens.
“In the light of the ruling, we will continue this work towards a renewed and safe framework for the transfer of personal data across the Atlantic.”
Max Schrems, whose original complaint led to the ruling
“I very much welcome the judgement of the Court, which will hopefully be a milestone when it comes to online privacy. This judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible.
“The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it. This decision is a major blow for US global surveillance that heavily relies on private partners.
“The judgement makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights. At the same time this case law will be a milestone for constitutional challenges against similar surveillance conducted by EU member states. There are still a number of alternative options to transfer data from the EU to the US. The judgement makes it clear, that now national data protection authorities can review data transfers to the US in each individual case – while ‘safe harbour’ allowed for a blanket allowance.”
Jinmmy Wales, co-foudner Wikipedia
“For Wikipedia, I doubt there will be any impact from this. We don’t have any legal presence in Europe at all so good luck trying to stop us from doing whatever we want in America.
“It will be much harder for companies that do business in Europe. They face much more complicated issues.
“Nevermind the impact of Europe versus USA when it comes to technology companies, what concerns me is that we are moving to an era of Balkanised data, where data has to be held in-country in very specific ways across many jurisdictions.
“From a technological point of view, that gets pretty annoying and complicated, to have to partition things.
“When I’m using cloud storage, such as Dropbox, which I love, I don’t care where they keep my data. I care that they look after it.”
Matthew Fell, CBI Director for competitive markets
“The ability to transfer data easily and securely between Europe and the US is critical for businesses in our modern data-driven digital economy. Businesses will want to see clarity on the immediate implications of the ECJ’s decision, together with fast action from the Commission to agree a new framework. Getting this right will be important to the future of Europe’s digital agenda, as well as doing business with our largest trading partner.”
Christopher Jeffery, head of UK IT, telecoms and competition at law firm Taylor Wessing
“The decision forces US companies needing to take personal data from the EU down some other compliance route – consent, model clauses or (for intragroup transfers only) “binding corporate rules” (or BCRs). There are alternatives to Safe Harbour in other words, but for most companies they take time and money to put in place and that will be an unwelcome distraction – no one was preparing for the abrupt disappearance of Safe Harbour until the Advocate-General’s Opinion was published last week.
The immediate question for Safe Harbour signatories will be: what now? The prospect of mass enforcement action against every US company signed up to Safe Harbour, but without another compliance mechanism in place instantly looks far-fetched, and we would expect the more pragmatic regulators (UK, Ireland and others) to allow companies time to re-organise their compliance programmes.
“In countries like Germany where Safe Harbour has long been regarded with suspicion the regulators may not be so generous – they may feel concerns about Safe Harbour have been well-flagged and so businesses should have made alternative arrangements by now.
“The key message to businesses is to “get on it” immediately – getting model clauses signed, for instance, between affiliates and with key external suppliers should be relatively straightforward and helpful to show they are taking the issue seriously – go for the low-hanging fruit early to show a desire to move towards fuller compliance. Organisations which are slow to react and are seen to be doing nothing risk attracting regulator attention and that will likely not end well.
Thomas Boue, director of policy at BSA | The Software Alliance
“BSA | The Software Alliance is very disappointed by today’s decision from the Court of Justice of the European Union on the Safe Harbour agreement. We are studying the details of the decision but are very concerned that this decision will have a negative impact not just on providers of data services but will also be harmful to consumers of those services.”
“Today’s decision further underscores the importance of ongoing negotiations to craft a renewed and strengthened framework. BSA members are committed to fully protecting their customers’ personal data, and the Safe Harbour agreement is extremely important to ensuring European citizens have full access to the range of data services now transforming the European economy.”
Professor Mark Skilton, Warwick Business School
“The gap between American and European legislation on privacy is at breaking point; the Snowdon revelations compounded by the fundamental differences in privacy rights of citizen, while both enshrined in personal liberty has been severely tested by government and commercial practices out of touch with local country economic sensibilities. It may be no bad thing in the long run as the issue of “free” data use and personal ownership seem to have been lost is the dash for “digital markets territory land grab” and social networking connections.
“Concern over consumer needs seem to have been a “double edged” temptation for internet companies seeking to build their own supplier markets but tempted by the overwhelming reveal of buyer habits and easy data access. This in turn has been a gold mine for intelligence agencies and security breaches alike, leaving the consumer protection laws and personal choice as something that customers are now just waking up to.”
Michael Bisignano, CA Technologies General Counsel
“While the full impact of the court’s ruling will take time to understand, CA Technologies is committed to continuing to apply appropriate and effective data transfer mechanisms to support its customers and partners. One example of our strong focus on protecting data has been that CA Technologies is one of the few technology companies that has introduced Binding Corporate Rules (BCRs) for data controllers. CA has also worked closely with the UK Data Protection Authority to achieve certification for meeting the highest possible European data protection standards.
“Secure data flows around the whole world have become the lifeblood of economies so we have very strong concerns about the implications of today’s judgment for the Application Economy. The consequence of the decision will go beyond Safe Harbour, creating the risk of a fragmented approach in Europe towards international data transfers. This can create legal uncertainty that could become a roadblock for the continued development of the Application Economy in Europe. A fragmented approach to international data transfers is the last thing Europe’s connected Application Economy needs.
“We believe that the European institutions and the United States government should collaborate over how best to resolve Safe Harbour provisions so that legal certainty can be assured for organisations.”
Are you a security pro? Try our quiz!