What Happens After the EU Ruling on Safe Harbor Data Transfer?

Until the safe harbor agreement between U.S. and Europe was ruled invalid recently in a European court, it was understood that for any European company the U.S. was safe, and the data security in the U.S. was acceptable. What does the ruling by the European Court of Justice that the safe harbor agreement is invalid mean for companies?

According to a press release issued by the Court of Justice of the European Union, the issue surfaced when Maximillian Schrems, an Austrian citizen, “lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services [in particular the National Security Agency (‘the NSA’)], the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country.”

Schrems had been a Facebook user since 2008, and as is the case with other subscribers residing in the EU, some or all of the data provided by Schrems to Facebook “is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed,” the press release stated.

The new European Court ruling states that the safe harbor agreement does not eliminate the need for a company to adhere to the data privacy laws of an individual country. The bottom line, the statement says, is that “the Court declares the Safe Harbour Decision invalid.”

The ruling creates obvious complications for multinational companies and companies using cloud providers, according to Andreas Gauger, chief marketing officer and cofounder of Profitbricks, a cloud computing IaaS company founded in Germany with offices in the U.S. For now, a company, for example, that is based in Germany can use a cloud provider that is based in Germany with the assumption that it must comply with German Data Security Act, or if it is using a company that is not incorporated in Germany, it has to take it upon itself to ensure that the cloud provider complies with German data security laws regarding protection of personal data. There is a clear German law, he said, that states that an organization can only store personal data where the German Data Privacy Law is 100% fulfilled.

According to Gauger, the safe harbor agreement was a temporary bandage that got around the underlying dilemma of different data-handling regulations in various European countries and the U.S. and gave organizations peace of mind they could move data to the U.S. even if they - or the company handling their data - were not complying with an individual European country’s data privacy laws.  Until the recent ruling on the safe harbor agreement in the European court, it was understood that for any European company the U.S. was safe, the data security policies in the U.S. were acceptable, but the new ruling says that is “actually not true,” said Gauger. Now, a new agreement will have to be forged between the different entities. “Now that band-aid has been ripped off and the wound is open. Now they have to sit down and finally agree on something.” 

Following the ruling on the safe harbor provision, the EU Working Party issued a statement on Oct. 16 that "If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions."