|
 Many companies, particularly tech firms, have said the Safe Harbour
agreement helps them get round cumbersome checks to transfer data
between offices on both sides of the Atlantic, including payroll and
human resources information and also lucrative data used for online
advertising.
But the decision by the Court of Justice of the European Union (ECJ)
could sound the death knell for the system, set up by the European
Commission 15 year ago and used by over 4,000 firms including IBM,
Google and Ericsson.
The court said Safe Harbour did not sufficiently protect EU
citizens' personal data as American companies were "bound to
disregard, without limitation" the privacy safeguards where they
come into conflict with the national security, public interest and
law enforcement requirements of the United States.
"The Court of Justice declares that the Commission's U.S. Safe
Harbour decision is invalid," the court said.
The ruling follows revelations from former National Security Agency
contractor Edward Snowden about the Prism program that allowed U.S.
authorities to harvest private information directly from big tech
companies such as Apple, Facebook and Google.
The Commission will give a press conference at 1500 CET (9:00 a.m.
EDT) in response to the ruling, but it was unclear if the decision
would prompt national data protection authorities to suspend
personal data transfers to the United States.
"The EU's highest court has pulled the rug under the feet of
thousands of companies that have been relying on Safe Harbour," said
Monika Kuschewsky, special counsel at law firm Covington. "All these
companies are now forced to find an alternative mechanism for their
data transfers to the U.S."
Without Safe Harbour, multinationals could be forced to draw up
contracts establishing privacy protections between groups or seek
approval from data protection authorities for information transfers
to countries the EU deems to have lower privacy standards, including
the United States.
'UNCERTAINTY FOR FIRMS'
The court case stemmed from a complaint by Austrian law student Max
Schrems, who challenged Facebook's transfers of European users' data
to its American servers because of the risk of U.S. snooping.
[to top of second column] |
The Commission separately demanded a review of Safe Harbour to
ensure that U.S. authorities' access to Europeans' data would be
proportionate and limited to what is absolutely necessary.
Washington and Brussels have been in talks for two years to try to
come up with a revamped data transfer system that could allay
Europe's privacy concerns, and Tuesday's judgment heaps pressure on
the Commission to come up with a solution.
"The ruling creates uncertainty for the European and international
companies that rely on Safe Harbour for their commercial data
transfers, most of which are small and medium-sized enterprises,"
said Christian Borggreen, director at the Computer & Communications
Industry Association, whose members include Google, Facebook and
Amazon.
Schrems filed his complaint to the Irish Data Protection
Commissioner, as Facebook has its European headquarters in Ireland.
The case eventually wound its way up to the Luxembourg-based ECJ,
which was asked to rule on whether national data privacy watchdogs
could unilaterally suspend the Safe Harbour framework if they had
concerns about U.S. privacy safeguards.
"The judgment makes it clear that U.S. businesses cannot simply aid
U.S. espionage efforts in violation of European fundamental rights,"
said 27-year-old Schrems.
The Irish commissioner said her office would immediately engage with
colleagues in other national authorities across Europe to determine
how the judgment could be implemented.
(Additional reporting by Conor Humphries in Dublin; Editing by
Barbara Lewis and Pravin Char)
[© 2015 Thomson Reuters. All rights
reserved.] Copyright 2015 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
 |
