The trans-Atlantic Safe Harbor data-transfer agreement which governs the flow of personal data from the European Union to the US has been ruled invalid. The European Court of Justice said that the agreement compromises the privacy of EU citizens and their right to challenge the use of their information.
The 15-year-old pact’s validity was questioned after an Austrian law student, Max Schrems, challenged the Irish Data Protection Commissioner to investigate several US internet giants' alleged collaboration with the NSA’s prism program (Ireland is the location of Facebook’s European headquarters). The case was referred to the European Court of Justice which said that the Safe Harbor agreement did not eliminate the need for national privacy watchdogs to check US firms were taking adequate data protection measures.
"The United States safe harbour scheme... enables interference, by United States public authorities, with the fundamental rights of persons," the ECJ said in its judgment. "This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether... transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data."
There are over 5000 US companies certified under Safe Harbor, and it’s worried that without the means to transfer data to the US from Europe, trans-Atlantic trade will suffer. "Thousands of US businesses rely on the Safe Harbour as a means of moving information to the US from Europe," said Richard Cumbley from the law firm Linklaters. "Without Safe Harbor, they will be scrambling to put replacement measures in place."
The move is seen as a victory for European data privacy campaigners, who have expressed concern over who sees their information after Edwards Snowdon’s allegations of NSA spying programs came to light.
“This judgement draws a clear line,” Schrems said in an e-mailed statement. “It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible.”