The widely used international agreement for transferring data from the European Union to the United States by thousands of companies is invalid, Europe’s highest court said on Tuesday in a landmark ruling that will deal a massive blow to American tech companies operating in Europe.
Safe harbour was set up in 2000 to help companies on both sides of the Atlantic conduct everyday business, however it came under heavy criticism following 2013 revelations of mass U.S. snooping.
The EU’s rules make it illegal to transfer personal information to any country, or only allowed through expensive and more time-consuming means. The laws prohibit data sharing with countries that does not meet the bloc’s privacy standards, of which the United States is one.
Ending this business agreement would mean delays for not only social media sites and search engines, but potentially banks, telecoms, marketing organisations and other companies that depend on large amounts of digital traffic for communications or research.
According to the Information & Innovation Foundation think tank, more than 4,400 businesses including internet groups such as Facebook, Google and Amazon rely on the agreement.
The European Court of Justice said that the American data protection rules do not provide the same protections to individuals that are currently available in Europe.
Things changed in the wake of former National Security Agency contractor Edward Snowden’s revelations of the Prism programme allowing the US government to harvest private information directly from major tech companies such as Apple, Facebook and Google. Most of the data that was given to the US government on European citizens is said to be through the Safe Harbor program.
This prompted an Austrian privacy campaigner Max Schrems to try to restrict data transfers to the United States. Schrems challenged Facebook’s transfers of European users’ data to its U.S. servers because of the risk of U.S. mass surveillance programs. He brought the case against Facebook in Ireland because the company’s European headquarters are in Dublin claiming that their terms of service run contrary to EU law.
Eventually, the case went up to the Luxembourg-based ECJ, which was asked to rule on whether national data privacy campaigners could unilaterally eliminate the Safe Harbour agreement if they had concerns about U.S. privacy safeguards.
After ruling the data transfer deal invalid, the European Court of Justice said the Irish data protection authority had the power to conduct an enquiry into Schrems’ complaint and later decide whether to suspend Facebook’s data transfers to the United States.