Following Edward Snowden's 2013 revelations of mass surveillance by the US National Security Agency (NSA) and Britain's GCHQ, mass surveillance became a global issue — particularly among human rights and privacy campaigners.
However, the European Court of Justice declared Safe Harbor invalid in a case brought by Austrian citizen Maximillian Schrems regarding Facebook's processing of his personal data. The court found that the "United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred."
However, the European Commission said the decision would not stop the transfer of data across the Atlantic, saying other means — apart from Safe Harbor — were available to companies, a statement that annoyed European lawmakers, who felt that the commission was not upholding personal data protection principles.
However, it has emerged that thousands of European companies hired lawyers, in the wake of the Safe Harbor ruling, to try and work out ways of continuing to transfer data to the US without risking a breach in EU law on data protection.
'Opened the Floodgates'
Cameron F. Kerr, former chief US interlocutor with the EU on data protection and the Safe Harbor agreement, writing in the EU Observer, said: "Unless the EU and US agree on a new framework rapidly, companies will have to evaluate separately the legality of each kind of data flow and choose from a menu that includes new contract provisions, revised privacy policies and business practices, reconfiguring networks, and applying to data protection authorities for approval of organizational rules for data protection and for approval of certain transfers.
"In the days after the decision, literally thousands of lawyers and privacy officers rushed to take part in webinars, seminars, and conference calls, producing hundreds of questions about what to do in response to the court's decision. The court has opened the floodgates."
He said the Safe Harbor ruling meant that thousands of companies had been put into a position where they might be accused of non-compliance with European data protection law for doing what until 6 October was lawful.
Vera Jourova, the EU Commissioner for Justice, Consumers and Gender Equality said the Commission will "soon issue an explanatory Communication on the consequences of the Schrems ruling setting out guidance on international data transfers. However, this cannot — and must not — replace the work of the Data Protection authorities in upholding and enforcing data protection rules.
"Given that the Safe Harbor was one of the central avenues for data transfers from Europe to the US, it is crucial to conclude the discussions with our US counterparts on a renewed framework for transatlantic data flows with a higher level of protection."
"This is important for transatlantic commercial relations and for our citizens. We need to make sure that the new arrangement lives up to the standard of the Schrems ruling," she said.