The Safe Harbor data sharing agreement between the US and the European Union(EU) is no more. A ruling by the European Court of Justice finds that the deal is inadequate to protect the privacy of European citizens. In the EU, privacy law forbids companies from moving data out of the EU into jurisdictions with weaker privacy protections. The safe harbor deal was an exception to the rule which allowed signatory companies to move data between the EU and the US as long as they followed a set privacy guidelines.
The case which brought an end to the Safe Harbor deal was filed by Austrian law student Max Schrems, who claimed Facebook was forwarding private information to the US in order to aid NSA spying. He originally brought the complaint to the Irish Data Protection Commissioner who rejected the complaint on the ground that the Safe Harbor framework allowed such data transfers to take place. Eventually the case was appealed to the European Court of Justice.
A major point in the court’s ruling is that there is no way for European citizens to obtain a legal remedy through the courts if their data is wrongfully seized by the NSA. The US can give all the assurances it wants that the NSA is not indiscriminately spy on Europeans and only spies on a few specific targets with probable cause, but it did not meet the burden of proof. Even if the US was given the benefit of the doubt on that point, the court’s point still stands. It’s always a possibility that law enforcement will seize data unlawfully, either through a mistake or deliberate misuse of power. In such cases, the only thing the target can do is seek a legal remedy through courts after the fact. Since the Safe Harbor framework provides no way for EU citizens to obtain a legal remedy the court finds that it “compromises the essence of the fundamental right to effective judicial protection.”
Even before Safe Harbor was overturned, many tech companies were raising the alarm about what its end could mean. Several companies like Facebook and Google claim to depend on it for even routine transfers of payroll and human resources data. However Schrems believes it will not be a major issue, stating, “There are still a number of alternative options to transfer data from the EU to the US. The judgement makes it clear that now national data protection authorities can review data transfers to the US in each individual case – while the ‘safe harbor’ allowed for a blanket allowance. Despite some alarmist comments I don’t think that we will see mayor disruptions in practice”