US government snooping has scuppered a controversial agreement between the United States and Europe, which for 15 years had allowed liberal data transfer across the Atlantic. The Safe Harbour system had been established by the European Commission between 1998 and 2000, allowing US companies to register their data protection certification as equal and equivalent to that demanded by EU law.
More than 4,000 companies have availed themselves of the agreement, including Google and Facebook, in the process gaining a workaround for the otherwise laborious privacy rules that govern transferring information between the US and Europe.
For instance, companies with employees on both sides of the Atlantic could, thanks to Safe Harbour certification, manage all of their payroll information in the US, including that of European staff.
Tensions around just how safe that was proving to be for EU citizens, however, had been rising since the Edward Snowden whistleblowing revelations. The former NSA contractor claimed that programs like Prism gave US authorities unprecedented access to hitherto-considered private data stored by the biggest names in tech.
That, the Court of Justice of the European Union (ECJ) said this week, left EU citizens facing a situation where US security programs were given higher priority than the data protection requirements of Safe Harbour. Meanwhile, with non-US citizens failing to have any sort of legal recourse, the Court had no choice but to rescind Safe Harbour altogether.
“National security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements” ECJ
In a statement, the US said it was “deeply disappointed” by the decision, Reuters reports.
The commission will now work with the US on a new data transfer arrangement, it said, given the Court of Justice of the European Union ruling is effective immediately.
While larger businesses are expected to have workarounds already in place – or quickly enacted – to deal with the changing regulation, many of the smaller companies face laborious privacy hurdles to move data around.
In particular, it could lead to a change – perhaps temporary – in how advertising data is handled, given ad companies relied on Safe Harbour to gather tracking information about web browsers.
MORE Court of Justice of the European Union [pdf link]