On 6 October 2015 the European Court of Justice ruled that ‘Safe Harbour’, the agreement that for years has allowed companies to transfer their customers’ data back and forth across the Atlantic, is invalid.
The Court concluded that the U.S. had failed to show that it collects people’s data in a way that is “strictly necessary and proportionate to the protection of national security” and that both Americans and Europeans have “no administrative or judicial means of redress” if their data is used for reasons they did not intend.
This decision can be traced back to Edward Snowden revelations that the National Security Agency (‘NSA’) was accessing vast amounts of personal data up by tapping into the databases of giant U.S. tech and telecoms companies, all of which were signatories to the Safe Harbour agreement.
It is likely that there are thousands of companies who rely on the Safe Harbour to transfer data, in order to do business. These will now have to rely on ‘model clause’ in contracts.
Companies that may be particularly adversely affected are Google, Facebook, Microsoft and Apple, all of which have hundreds of millions of clients in Europe and transfer those client’s personal data to the United States for processing.
In fact, a young Austrian student and Facebook user, Max Schrems, brought this case. He researched Facebook’s privacy rules for his thesis, concluding that they violated E.U. laws. He lodged a complaint against the Data Privacy Commission of Ireland, (where Facebook has its E.U. headquarters).
The Atlantic just got a lot wider and deeper.