Facebook data transfers threatened by Safe Harbour ruling
- 6 October 2015
- From the section Technology
A pact that helped the tech giants and others send personal data from the EU to the US has been ruled invalid.
The European Court of Justice said that the Safe Harbour agreement did not eliminate the need for local privacy watchdogs to check US firms were taking adequate data protection measures.
It added that the ruling meant Ireland's regulator now needed to decide whether Facebook's EU-to-US transfers should be suspended.
The pact has existed for 15 years.
Facebook has denied any wrongdoing.
"This case is not about Facebook," said a spokeswoman.
"What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows.
"We will of course respond fully to any enquiries by our regulator the Irish Data Protection Commission as they look at how personal data is being protected in the US.
"The outcome... will have significant implications for all Irish companies who transfer data across the Atlantic."
The ruling was the result of a legal challenge by an Austrian privacy campaigner concerned that the social network might be sharing Europeans' personal data with US cyberspies.
"I very much welcome the judgement of the court, which will hopefully be a milestone when it comes to online privacy," said Max Schrems on learning of the judgement.
"It clarifies that mass surveillance violates our fundamental rights."
But others warned it could have far-reaching consequences.
"Thousands of US businesses rely on the Safe Harbour as a means of moving information to the US from Europe," said Richard Cumbley from the law firm Linklaters.
"Without Safe Harbour, they will be scrambling to put replacement measures in place."
The European Commission said it would issue "clear guidance" in the coming weeks to prevent local data authorities issuing conflicting rulings.
Let's start from scratch. What exactly is Safe Harbour?
The term refers to an agreement struck by the EU and US, that came into effect in 2000.
It was designed to provide a "streamlined and cost-effective" way for US firms to get data from Europe without breaking its rules.
The EU forbids personal data from being transferred to and processed in parts of the world that do not provide "adequate" privacy protections.
So, to make it easier for US firms - including the tech giants - to function, Safe Harbour was introduced to let them self-certify that they are carrying out the required steps.
More than 5,000 US companies make use of the arrangement to facilitate data transfers.
Why was it challenged?
In 2013, whistleblower Edward Snowden leaked details about a surveillance scheme operated by the NSA called Prism.
It was alleged the agency had gained access to data about Europeans and other foreign citizens stored by the US tech giants.
Privacy campaigner Max Schrems asked the Irish Data Protection Commission to audit what material Facebook might be passing on.
However, the watchdog declined saying the transfers were covered by Safe Harbour.
When Mr Schrems contested the decision, the matter was referred to the European Court of Justice.
The case reflected a clash between two cultures: in the EU, data privacy is treated as a fundamental right; in the US, other concerns are sometimes given priority.
So, what are the immediate implications of the court's ruling?
Personal data should no longer be transferred to US bodies solely on the basis they are Safe Harbour-certified.
Instead to authorise the "export" of the data, the two bodies involved must draw up and sign what's referred to as "model contract clauses", which set out the US organisation's privacy obligations.
"It will involve lots of contracts between lots of parties and it's going to be a bit of a nightmare administratively," commented Nicola Fulford, head of data protection at the UK law firm Kemp Little.
"The model clauses themselves are standard form - what you need to put into them are details of the data involved and the security steps being taken.
"It's not that we're going to be negotiating them individually, as the legal terms are mostly fixed, but it does mean a lot more paperwork and they have legal implications."
All of this will drive up costs and potentially cause delays.
Does this mean the tech giants are going to have to halt or alter some of their services?
It depends on who you speak to.
The big-name firms are being guarded about what they say.
Sources at one firm suggest it believes it already has all the necessary contracts drawn up and processes in place to avoid any disruption.
But an insider at another company suggests that it may have to alter or stop some of its data transfers across the Atlantic.
What everyone agrees on, however, is that the ruling will have wider impact.
"It's not just about companies whose core activities is data processing - i.e. the Facebooks of the world - it's the companies who don't have data processing capabilities of their own and transfer personal data abroad to get it done," explains Allie Renison from the UK's Institute of Directors.
"So, if you're a company that sends payroll data for administrative purposes across to the US, that becomes an issue.
"Likewise, it affects you if you're a firm trying to send over data about your customers for a marketing campaign."
Shouldn't everyone be prepared for this - after all this was referred to the ECJ more than a year ago?
Yes - but few expected the court to rule on the matter so quickly.
Having said that, while some data privacy regulators - including the UK and Ireland's - said they were satisfied with Safe Harbour's stamp of approval, Germany's watchdogs raised concerns years ago.
As far back as 2010, they told local firms they were still obliged to check whether Safe Harbour-certified organisations were actually taking adequate measures, and suggested they draw up model contract clauses to avoid any doubt.
Those data privacy watchdogs could face more work now, right?
If people challenge whether adequate steps to protect their data are being taken, the regulators may now need to intervene.
Max Schrems certainly intends to try again to make the Irish Data Protection Commissioner look into Facebook.
It should, however, be stressed that the social network strongly denies providing "backdoor" access to the US intelligence agencies.
Can't the EU and US just sign a new data-sharing agreement that would satisfy the ECJ's concerns?
Yes - but that's not as simple as it sounds.
The US and EU have in fact been negotiating to update the Safe Harbour pact for nearly two years, and won't say when they hope to conclude a deal.
Following Snowden's leaks, the EU sought to limit the circumstances under which the US authorities could access transferred data, and threatened to veto any future trade agreements if a new deal was not stuck.
But despite repeated reports that an agreement was close, the two sides have failed to agree terms.
To further complicate matters, they recently agreed in principle a separate data-sharing deal called the Umbrella Agreement, which governs how their law enforcement agencies share data.
But the EU has said it would only finalise the pact if Europeans are given the right to sue US companies in American courts for misusing their data.
The US seemed set to agree, but now its politicians may retaliate against the ECJ's ruling by refusing to grant the privilege.