EU Court Ends US Safe Harbor, Makes Private Data Transfer Harder

Article Placeholder Image
By Casey C. Sullivan, Esq. on October 09, 2015 3:57 PM

A 15-year long data sharing pact between the United States and the European Union is no more, after Europe's highest court struck it down Tuesday. The European Union's Court of Justice ruled that European citizens' data isn't safe when stored on U.S. computer servers, since our pesky, spying government can peak into it.

The ruling will affect some 4,500 companies, from Google to Pfizer to Johnson & Johnson, who had long relied on the Safe Harbor system. That system, which allowed participating, companies to avoid complicated restrictions on the transfer of personal data out of Europe, is no more.

No More Safe Harbor

The court's ruling has major business implications for U.S. companies. Under E.U. law, personal data is much more heavily regulated than in the United States. Here in God's Country, privacy protections are typically limited to sensitive personal data, like Social Security numbers, medical records, and financial information. Back in the Old World, they're a bit stricter. The E.U. Data Protection Directive defines personal data as any personally identifiable information and protects against its transfer out of Europe.

Under the Safe Harbor program (or Harbour, as Europeans insist on calling it), United States companies may voluntarily subscribe to "a series of principles concerning the protection of personal data." That, in turn, helps them bypass European restrictions on transferring personal data to America. The program was used for everything from transferring human resource information from European offices to American headquarters to gathering advertising information on E.U. Facebook users.

Blame Facebook and the NSA

Speaking of Facebook, the case came before the Court of Justice after Maximilian Schrems, an Austrian citizen, sued over the social network's use of his data. Facebook transferred Schrems's information from its Irish subsidiary's servers to its U.S. data processing centers under the Safe Harbor program. But, Schrems argues, the U.S. government's spying (of the type revealed by Edward Snowden) meant his personal data wasn't in fact protected. That spying, including the NSA's PRISM data-collection program, allowed the government to take private information straight from large tech companies.

The Court of Justice agreed that European data in the United States wasn't adequately protected. While Facebook might agree to E.U. privacy standards under the Safe Harbor program, the U.S. government is free to "disregard, without limitation, the protective rules laid down by that scheme" and interfere with the rights of E.U. citizens. Since U.S. companies can't truly guarantee the privacy of European personal data, and since European citizens can't protect against the misuse of their data in U.S. court, the U.S.-E.U. Safe Harbor program was invalid.

The ruling kicks the United States off Europe's list of countries who provide "adequate protection" for personal data. American companies will now have to create contracts establishing strong privacy protections or seek approval from data protection authorities before transferring European personal data abroad.

Related Resources: