The European Court of Justice has just ruled that the transatlantic Safe Harbour agreement, which lets American companies use a single standard for consumer privacy and data storage in both the US and Europe, is invalid.
Companies such as Facebook and Twitter may now face scrutiny from individual European countries’ data regulators — and could be forced to host European user data in Europe, rather than hosting it in the US and transferring it over.
The consequences are a potential bureaucratic nightmare: In theory, American companies with European customers could now end up trying to follow 20 or more different sets of national data privacy regulations. Up to 4,500 US companies — not just tech firms — have relied on Safe Harbor.
The ruling says that “the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities.” In short, the European Commission’s Safe Harbour cannot usurp the powers of national authorities, the ruling says.
The ECJ ruling is final and cannot be appealed.
The EU Commission and the US negotiators are now challenged to put forward a new ‘Safe Harbor’ framework:
The European Parliament’s Civil Liberties Committee Chair Claude Moraes said: “The decision by the European Court of Justice today, declaring the invalidity of the Safe Harbour agreement, forces the European Commission to act in order to ensure that transatlantic transfers of personal data of EU citizens to companies in the US offer the continuity of protection required by EU law and come up with immediate alternative to Safe Harbour. The Commission has been in negotiations with the US for over a year on improving the framework but we have still received no update on these discussions.”
“The Commission must immediately put forward a new complete and strong framework for transfers of personal data to the US which complies with requirements of EU law as enshrined in the Charter of Fundamental Rights and EU data protection rules and provide our citizens with solid, enforceable data protection rights and effective independent supervision.”
What next? Please stay tuned …. there is more to come.
An update has been sent to member on October 9th 2015 – Members to check their inbox