Photo: Bloomberg
Photo: Bloomberg

Trans-Atlantic data pact struck down by EU’s highest court

The court struck down the safe-harbor accord after an student complained about how US security services gain unfettered access to customer information sent to the US

Luxembourg: A trans-Atlantic pact that potentially allows US spies to get their hands on European citizens’ private data was declared invalid by the EU’s highest court, in a ruling that threatens to plunge Internet companies into a legal limbo.

Judges at the European Union’s top court struck down the so-called safe-harbor accord after an Austrian law student complained about how US security services can gain unfettered access to Facebook Inc. customer information sent to the US. Other US companies, including Google Inc. and Yahoo! Inc., may also be effected.

The 15-year-old agreement, which allows American companies to move commercial data back to the US, compromises the privacy of EU citizens and their right to challenge the use of their information, the EU Court of Justice in Luxembourg said Tuesday.

“This judgment is a bombshell," said Monika Kuschewsky, special counsel at Covington & Burling LLP in Brussels. “The EU’s highest court has pulled the rug under the feet of thousands of companies that have been relying on safe harbor. All these companies are now forced to find an alternative mechanism for their data transfers to the US And, this, basically overnight."

Snowden revelations

The EU’s top court has been weighing the validity of the data-sharing accord following revelations by former National Security Agency contractor Edward Snowden about US government surveillance activities and mass data collection. An Irish judge last year called on the EU’s tribunal to decide whether the deal still protects privacy and whether national regulators have the power to suspend illegal data flows from the EU to the US

The pact, drafted in the pre-9/11 days, was designed to facilitate trade by allowing US companies with activities in Europe to shift information between their sites. It allowed companies to transfer data provided they adhered to a list of principles designed to ensure privacy isn’t breached.

‘Invalid’

US legislation “permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life," the EU court said in a binding ruling. The pact “is accordingly invalid."

Austrian privacy activist Max Schrems, 28, triggered the case with a complaint he filed against Facebook with the privacy watchdog in Ireland, where the US social network company has its European base. He alleged that Facebook’s Irish unit illegally handed over data to US spies. Schrems had previously filed 22 complaints against the Menlo Park, California-based company.

“The ruling won’t make it very easy to repair this and a quick fix won’t be possible either," Schrems told reporters in Luxembourg. “But it’s the first time that something actually happens in this entire mass surveillance box."

The court’s ruling wasn’t surprising but could “potentially be disruptive" to US companies, Michael Daniel, the White House’s cybersecurity coordinator said in an interview in Washington Tuesday.

‘Still possible’

While Tuesday’s ruling will add to the clamor to negotiate Safe Harbor 2.0, it immediately revealed splits between EU governments.

German Justice Minister Heiko Maas described the judgment as a “strong signal" for the European Commission to “fight for our data protection standards internationally."

The British government called the ruling “disappointing," saying “there is an important principle here that companies must be able to transfer data to third-party countries."

EU officials said their aim is step up discussions with the US to reach a new Safe Harbor pact.

The EU has “received very strong commitments from the US that there will be strong monitoring" of data use under any new agreement, EU Justice Commissioner Vera Jourova, in charge of data protection issues at the European Commission, told reporters in Strasbourg, France.

Daniel is confident an agreement will be reached. “I am convinced that it will be in the interest of both the United States and Europe to figure out how to enable data to flow for commercial purposes across the Atlantic in either direction," he said. “Ultimately we will figure out how to do that."

Fast-Track ruling

The urgency of the ruling was highlighted by the speed of the judgment, just days after an adviser to the EU court described the safe harbor as illegal.

“Companies have worked under this agreement for 15 years," said Christian Borggreen, Europe director at the Computer & Communications Industry Association, a lobby group based in Washington D.C. and Brussels.“There’s a lot of uncertainty. The first question that all companies are asking the European Commission is: ‘Now what?"

Facebook, like other tech giants, have been reeling from the effects of the Snowden revelations in 2013. The companies have been trying to assure their users or customers that their products are secure and that they don’t willingly turn over data to the US government.

The case concerns more than 4,000 US companies that are certified under safe harbor. Facebook said the case is about mechanisms of European law rather than individual firms.

National security

“Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from safe harbor," it said in a statement. “It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security."

The court’s decision could disrupt the ability of intelligence agencies to obtain data critical to preventing terrorist attacks, former US National Security Advisor James Jones said in an interview in Washington.

“During my time in the White House, we prevented several attacks on European soil by transferring information very quickly to our friends in Europe," said Jones, who served under President Barack Obama from 2009 to 2010. Disrupting information sharing means “we’re all swimming by ourselves," Jones said.

Peter Olson, president of DigitalEurope, a trade group with members including Google and Microsoft Corp. said the commission should “immediately issue guidance to companies operating under the safe harbor framework to ensure that essential and routine commercial activities can occur during the current legal vacuum."

The EU and the US should also, as a matter of urgency, conclude their long-running negotiations to provide a new safe harbor agreement, he said. Bloomberg

Close