The Safe Harbor agreement was invoked 15 years ago to enable companies on both sides of the Atlantic to conduct everyday business, using data transfers, but has come under heavy fire, following 2013 revelations of mass US snooping.
Revelations by former National Security Agency (NSA) contractor Edward Snowden — now living in temporary asylum in Moscow — of the so-called Prism program, allowing US authorities to harvest private information directly from big tech companies such as Apple, Facebook and Google, prompted an Austrian law student Max Schrems to try to halt data transfers to the United States.
Bottom line: the #SafeHarbor ruling indicates the indiscriminate interception of communications is a violation of rights. Search OR seizure.— Edward Snowden (@Snowden) October 6, 2015
Schrems challenged Facebook's transfers of European users' data to its US servers because of the risk of US snooping. As Facebook has its European headquarters in Ireland, he filed his complaint to the Irish Data Protection Commissioner.
The case eventually wound its way up to the Luxembourg-based European Court of Justice (ECJ), which was asked to rule on whether national data privacy watchdogs could unilaterally suspend the Safe Harbor framework, if they had concerns about US privacy safeguards.
In declaring the data transfer deal invalid, the Court said the Irish data protection authority had the power to investigate Schrems' complaint and subsequently, decide whether to suspend Facebook's data transfers to the United States.
Commission Says Ruling Damages US-EU Trade, Endangers TTIP
However, the European Commission said the transfer of data between the EU and US will continue despite the legal opinion of the European Union's own Court of Justice. The Commission believes the court ruling undermines every business transaction done between the European Union and the United States and will endanger the controversial Transatlantic Trade and Investment Partnership (TTIP) trade deal being negotiated at the moment.
Frans Timmermans, the EU commission vice president, told reporters: "other mechanisms for international transfers of personal data" are available.
"We have been working with the US authorities to make data transfers safer for European citizens. In the light of the ruling, we will continue this work towards a new and safe framework for the transfer of personal data across the Atlantic."
"We will come forward with clear guidance for national data protection authorities on how to deal with data transfer requests to the United States in the light of the ruling," Timmermans told a news conference.
He was backed by Christopher Padilla, Vice President of Government and Regulatory Affairs at IBM, who said:
"The free movement of data across borders is the foundation of the global economy, facilitating everything from financial services and manufacturing to shipping and retail."
Rumours were circulating in Brussels Wednesday that "internal issues" at the Luxembourg-based court had led to the judgement being delivered unusually swiftly — two weeks — after the advocate-general had published his opinion on the case.
The Court's president Vassilios Skouris, who sat in on the landmark case, retires this week and a source at the Court agreed the procedure was unusually fast. But he noted that even without the president, "the court would still have been queried".