The Court of Justice of the European Union has declared a 15-year-old data transfer act that allowed American businesses to transfer European customer data to their servers located in the United States, citing the inadequacy of privacy measures put in place by American companies in the light of massive government surveillance revelations.
The Safe Harbour pact was created between the U.S. and E.U. in 2000 to allow companies to conduct their day-to-day trans-Atlantic business operations. More than 4,400 technology and non-technology companies, including Facebook, Google and Amazon, use Safe Harbour to allow data transfer to their U.S. servers without being subject to regulatory oversight by Europe's data protection watchdogs.
Although Safe Harbour mandates that companies treat European data with the same privacy treatment available to data located in the E.U., the ECJ agrees with European watchdogs who argue that American data protection rules are not adequate to safeguard European customer data, especially after whistleblower Edward Snowden's 2013 revelations that the National Security Agency has widespread surveillance programs that exploit technological back doors deliberately or accidentally put in place by companies.
In its ruling, the highest court of the EU says companies are "bound to disregard, without limitation" the privacy protection requirements put in place by Safe Harbour where the companies are under pressure by government agencies to provide data for purposes of law enforcement and national security.
"It is clear from the extensive exhibits accompanying the affidavits filed in the main proceedings that the accuracy of much of Edward Snowden's revelations is not in dispute," writes the ECJ in a statement. "The High Court therefore concluded that, once personal data is transferred to the United States, the NSA and other United States security agencies such as the Federal Bureau of Investigation are able to access it in the course of a mass and indiscriminate surveillance and interception of such data."
Without Safe Harbour, American companies are placed under scrutiny by each of the national data protection bodies in the 28-country bloc, and they will have to comply with each of their individual requirements to be able to transfer data across the Atlantic to their U.S.-based servers. For major companies who already have business operations in Europe, complying with different requirements may be a costly inconvenience, but smaller businesses may be crippled altogether.
"This is extremely bad news for E.U.-U.S. trade," says Richard Cumbley, global head of technology, media and telecommunications at Linklaters law firm. "Without Safe Harbor, (businesses) will be scrambling to put replacement measures in place."
The ruling comes following a separate lawsuit filed by Austrian law student Max Schrems against Facebook for allegedly failing to protect his privacy against snooping by the NSA. Schrems filed the case in Ireland, where Facebook's European headquarters is based, but Dublin's Data Protection Commissioner rejected his bid on the premise that Facebook's data transfers were protected by Safe Harbor. Schrems appealed, and the case eventually reached the ECJ.