Doom or delight? Court ruling on Safe Harbor brings uncertainty to privacy dealings

By declaring the Safe Harbor agreement invalid, the Court of Justice of the European Union exposes businesses to legal action

Privacy activists are overjoyed, but for businesses it's what one lobbyist described, only half jokingly, as "the doomsday scenario:" 

The transatlantic transfer of European Union citizens' personal data was thrown into a legal void Tuesday when the Court of Justice of the EU declared invalid the 15-year-old Safe Harbor agreement with the U.S. because it provided inadequate privacy protection.

The ruling exposes businesses reliant on Safe Harbor to the threat of legal action. The fact that European Commission and U.S. officials are in the middle of negotiating stronger privacy protections offers little comfort, as the ruling also opens that to challenges in national courts. Only a complete rewrite of the EU's data protection regime, already in progress, might help -- but it won't take effect for up to two years after the final text is agreed, and that is still many months off.

The Safe Harbor agreement matters because it is the simplest of a number of legal instruments available to companies to prove that they comply with EU data protection laws, which require that personal data only be exported when it will benefit from the same level of privacy protection as it does within the EU.

Companies do have other legal options, including the use "binding corporate rules," which can be time-consuming and expensive to implement, and model contract clauses ratified by the European Commission, which may not always be suitable in individual cases. Safe Harbor, on the other hand, provides for a simple self-certification and registration process, which over 4,000 companies have already undertaken.

However, the protection afforded under that agreement is flawed, the CJEU ruled Tuesday, saying that it is only binding on the companies involved, and not on U.S. law enforcement and national security agencies. Data is thus vulnerable to legally sanctioned spying, the CJEU concluded.

"The ruling creates uncertainty for the European and international companies that rely on Safe Harbor for their commercial data transfers, most of which are small and medium-sized enterprises," warned Christian Borggreen, European director for the Computing and Communications Industry Association, an industry lobby group with Amazon.com, Facebook, Google, and Microsoft among its members.

Lawyer Mary Hildebrand said her clients have been grappling with the uncertainty around Safe Harbor and the rewrite of the EU's data protection rules for some time.

"Uncertainty is the enemy of business, because people have to close transactions. It's good to know what the rules of the road are," said Hildebrand, of law firm Lowenstein Sandler, ahead of the CJEU ruling.

Another lobby group, Digital Europe, warned that the ruling would cause immediate harm to consumers, employees and employers.

“We urgently call on the European Commission and the U.S. government to conclude their long-running negotiations to provide a new Safe Harbour agreement as soon as possible,” said its president, Peter Olson. Facebook isn't a member of his organization but Apple, IBM and SAP are.

While a new Safe Harbor agreement might provide stronger protections for personal data, it won't end the legal uncertainty.

That's because another aspect of the CJEU's ruling affirmed the right of national data protection authorities to investigate the protections afforded by such agreements and even to challenge them in the courts -- although it reserved to itself the right to invalidate agreements made by the Commission, as it did Tuesday with the first Safe Harbor agreement.

Before the CJEU's ruling, businesses registered under Safe Harbor could apply the same rules to their operations across the E.U., but by returning power to the national DPAs, warned Hildebrand, "We could lose that uniformity. We could have DPAs in different countries taking their own positions and conducting their own investigations. It could be country by country or, God forbid, case by case."

One way to clear up that uncertainty is to rewrite the laws.

In fact, EU lawmakers have been working since 2012 to rewrite the EU's personal data protection regime, which stems from a 1998 directive.

Work on the new general data protection regulation, though, is still several months from completion -- and even then won't take effect for another two years or so.

The European Commission is due to outline its plans for dealing with the aftermath of the CJEU's ruling later Tuesday.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Peter Sayer

Peter Sayer

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?