Safe harbour: EU court rules EU-US data sharing agreement invalid

MEPs hope lessons will be drawn from scrapping of controversial data privacy agreement.

By Julie Levy-Abegnoli

06 Oct 2015

The European Court of Justice (ECJ) has ruled that the controversial 'safe harbour' EU-US data transfer agreement - which has been in place for 15 years - is invalid. 

The pact was originally set up to make it easier for US companies, including tech giants, to transfer people's personal data from Europe to the US, without breaking strict EU data privacy laws (within the EU, data privacy is considered a fundamental right).

'Safe harbour' was challenged by Austrian privacy campaigner Max Schrems, who following NSA whistle-blower Edward Snowden's US surveillance scheme revelations, asked the Irish data protection authority to determine what information Facebook (which has its European HQ in Dublin) was passing on. His request was denied, and the case landed before the ECJ.


Last month, the Luxembourg-based court published a non-binding opinion declaring the safe harbour agreement invalid. Tuesday's ruling means that US companies are no longer allowed to invoke the agreement when transferring personal data from Europe. 

The ECJ argues that because, "national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, […] US undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements."

MEPs largely welcomed the decision, with the chair of Parliament's centre-right European People's Party group Manfred Weber calling it, "a victory for citizens' rights", adding, "everyone who wants to do business in the European single market has to respect EU data protection standards."

Birgit Sippel, from the centre-left Alliance of Socialist and Democrats for Europe group, said, "the European Commission and the United States must now act immediately to address this situation. Ideally, the US should implement legislation that meets the data protection standards set out by the Commission."

Current EU data protection rules date back to 1995 - long before tech giants like Facebook and Google even existed. A new regulation is currently being negotiated and is expected by the end of the year.

Sippel added, "Regarding the national security exception that the US has previously insisted on, this must be used only when strictly necessary and in a proportionate manner".

Sophie In' t Veld, a Vice-President of Parliament's Alliance of Liberals and Democrats for Europe group said, "we need clear rules to govern the transfer of personal data to the US and other non-EU countries. They must be legally watertight, provide real and meaningful protection, and there must be proper enforcement. Like data retention, safe harbour is yet another example of bad legislation and bad enforcement."

"I hope lessons will be drawn from this and the push for unsound laws, that do not pass the test of legality and constitutionality, will end. We cannot always expect judges to repair sloppy legislative work by politicians looking for easy and popular measures," she said.

Parliament's rapporteur on the reform of EU data protection rules Jan Albrecht, said, "The European Parliament has already called for safe harbour to be scrapped, but the European Commission has ignored this demand for a year and half."

Echoing his colleagues' views, the Greens/European Free Alliance group deputy said, "it is now high time to pass a strong and enforceable framework for the protection of personal data in the course of the EU data protection reform, and make it clear to the US that is has to deliver adequate legally binding protection in the private sector, as well as to introduce juridical redress for EU citizens with regards to their privacy rights in all sectors, including national security."

However, not everyone was pleased with the ruling. DigitalEurope, which represents the interests of the digital technology industry, had "grave concerns about the long-term implications this judgement will have on the way Europe transfers data to the rest of the world."

Its President, Peter Olson, said, "we question how Europe will be able to effectively create a digital single market if 28 member states pursue different approaches to how the data can be transferred beyond Europe's borders."

He urged the Commission to, "immediately issue guidance to companies operating the 'safe harbour' framework to ensure that essential and routine commercial activities can occur during the current legal vacuum."


Read the most recent articles written by Julie Levy-Abegnoli - MEPs vote against beginning negotiations on updating EU copyright laws