The European Court of Justice has issued a ruling which makes the Safe Harbour pact – created to make it easy for firms to transfer data across the Atlantic – invalid.
‘Safe Harbour’ was established to allow US companies to circumvent EU data transfer laws. The EU doesn’t allow data to be transferred to or processed in parts of the world which don’t utilise “adequate” privacy protections. It allowed US firms to say that they were carrying out adequate privacy checks themselves. However, the legality of Safe Harbour was challenged by privacy campaigner Max Schrems in 2013.
He asked the Irish Data Protection Commission to audit what material Facebook might be passing on to the US’ National Security Agency as part of the “Prism” surveillance scheme. The commissioner said the transfers were covered by Safe Harbour, however the European Court of Justice has since ruled it invalid. The Court noted that it didn’t eliminate the need for local privacy watchdogs to ensure US companies were taking adequate data protection measures.
What happens next?
So does this mean that US companies can no longer transfer data from EU countries? Not necessarily. Here is what will happen in the immediate aftermath of the Court of Justice’s ruling:
- US bodies will no longer be allowed to transfer personal data to EU countries on the sole basis that it’s Safe Harbour-certified.
- The Irish Data commissioner will now be required to examine how personal data is being used in the US, as will national data authorities across EU countries.
- The European Commissioner is planning to issue “clear guidance” to stop national data authorities issuing conflicting rulings on transatlantic data transfers.
- US data authorities will have to draw up “model contract clauses” with the data authorities in each EU country to allow the “export” of data.
Free movement of data
Christopher Padilla, Vice President of Government and Regulatory Affairs at IBM, summed up the importance of free movement of data. He was quoted by Yahoo News saying: “The free movement of data across borders is the foundation of the global economy, facilitating everything from financial services and manufacturing to shipping and retail.”
Safe Harbour was used for the most basic tasks e.g. payroll. Companies with employees in more than one region would use Safe Harbour to transfer payment information. It was particularly utilised by the advertising industry. Advertisers transfer personal data from the EU to the US all the time, for example, what people type into search engines or post on Facebook. This allows firms to personalise marketing and advertising campaigns and promote products or services based on consumer online activities.
Impact of ruling
Allie Renison from the UK’s Institute of Directors explained the impact of the ruling. She said: “It’s not just about companies whose core activities is data processing – i.e. the Facebooks of the world – it’s the companies who don’t have data processing capabilities of their own and transfer personal data abroad to get it done.”
Without Safe Harbour the transatlantic free movement of data become laborious, if not impossible. US firms could face new challenges when transferring data across the Atlantic even for the most routine of tasks, such as HR and payroll. Advertisers will find it harder to gather the vital customer information they need to tailor marketing campaigns to their target audiences, potentially rendering said campaigns less effective.