The legal regime which allows US businesses such as Facebook to hold personal data about Europeans was today overturned by a court decision that sent shockwaves through the internet industry.
In Maximilian Schrems v Data Protection Commissioner, the Court of Justice of the EU ruled invalid a so-called ‘safe harbour’ framework agreed in 2000 by the EU and US.
Safe harbour allowed multinationals to hold data in the US despite laxer rules covering the protection of personal data.
The measure was challenged by an Austrian privacy activist Maximilian Schrems, a Facebook user, following the Snowden revelations about communications interception by US intelligence agencies. Schrems complained that the law and practice of the US did not offer sufficient protection against surveillance by public authorities of data transferred there.
The data protection commissioner of Ireland, where Schrems’ data was held, rejected the complaint on the ground that in a 2002 decision by the European Commission ruled that the safe harbour scheme ensures an adequate level of protection.
Today’s judgment holds that the existence of a commission decision ‘cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the data protection directive’.
This judgment has the consequence that the Irish data protection authority is required to examine Schrems’ complaint ‘with all due diligence’.
Although the decision had been expected since the publication of the advocate general’s opinion last month, the strength of the ruling prompted strong reactions.
Media lawyer Dan Tench, partner at international firm Olswang, predicted ‘appalling fallout’ as online businesses would be required to deal with individual data protection authorities rather than relying on safe harbour.
Monika Kuschewsky, of the data privacy team at international firm Covington described the judgment as ‘a bombshell’.
‘The EU’s highest court has pulled the rug under the feet of thousands of companies that have been relying on safe harbour,’ she said. ‘All these companies are now forced to find an alternative mechanism for their data transfers to the US. And, this, basically overnight, as the court has declared the commission decision on safe harbour invalid without providing for any transitional period.’
Mark Stephens, partner at international firm Howard Kennedy said that safe harbour was ‘essential’ and predicted that it would be renegotiated.
However Mahisha Rupan, senior associate at technology law firm Kemp Little said that safe harbour was not the only option.
‘There are alternative ways of ensuring adequate protection for personal data relating to EU citizens, such as implementing binding corporate rules or executing “model clauses” contracts between the data exporter and data importer.’
She added, however, that the binding corporate rules work only for intra-group data transfers and model clauses will need to be put in place between each data exporter and each data importer which may be prove to be impractical where a US company has thousands of EU-based customers.