The European Union’s highest court has ruled that the rules governing the transfer of personal data from Europe to the US are ”invalid.” The landmark decision today (Oct. 6) will affect thousands of American companies that do business in Europe, including the likes of Facebook and Google.
Since 2000, the sharing of personal data between the EU and US was permitted under the Safe Harbor agreement. Companies that signed up to this agreement had to agree to comply with seven privacy principles. The deal was heavily criticized for being inadequate long before the court ruling, not least because compliance was self-certified.
Following the revelations by Edward Snowden of the US’s mass surveillance program, Max Schrems became particularly concerned with the data Facebook held, namely whether his personal information was being shared with the US National Security Agency. Schrems, who is Austrian, requested the personal data Facebook had on him and he ended up with a 1,222-page PDF file. He believed that the scope of the information held by Facebook violated the EU’s strict data-privacy laws.
Schrems first lodged complaints with Ireland’s Data Protection Commissioner, where Facebook’s European headquarters is based. The Irish authority chose not to pursue the case, so Schrems appealed to the high court in Dublin, which eventually referred the case to the European Court of Justice.
The European Court of Justice sided with Schrems. Its ruling declared that Safe Harbor didn’t go far enough to protect EU citizens’ personal data, arguing that US companies “are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements.”
In a statement, Schrems said: “I very much welcome the judgment of the Court, which will hopefully be a milestone when it comes to online privacy. This judgment draws a clear line. It clarifies that mass surveillance violates our fundamental rights.”
The decision will affect 4,500 companies, who will now have to implement new systems to store and process user data—at the extreme, some may be forced to keep all data about European users in Europe. Big companies with extensive infrastructure in Europe won’t be hit as hard as smaller firms that rely on Safe Harbor to extend their operations abroad. The ruling won’t suddenly stop the transatlantic sharing of personal data, but it puts national data-protection agencies on notice to address privacy concerns like Schrems’ “with all due diligence.”