Europe’s top court rejects ‘Safe Harbor’ ruling – USA TODAY
WASHINGTON â Europe’s top court on Tuesday ruled that aÂ 15-year-old agreement allowing American companiesÂ to handle Europeans’Â data was invalid, a decision that could affect how technology companies such as Amazon, Facebook and Google operate overseas.
The European Court of Justice examined the case of an Austrian citizen who claimed that his data, in light ofÂ revelations by Edward Snowden that U.S. agencies spied upon people in other nations, wasn’t being adequately protected.
The ruling comes as European leaders and Washington are negotiating a new agreement on data transfers across the Atlantic. It also raises questions about how major U.S. tech firms can continue to operate there without breaking the law.
Currently, under so-called Safe Harbor rules, U.S. firms are allowed to transfer personal data of European citizens back to the U.S. and theyÂ only have to follow one set of rules on how data they store and collect within the European UnionÂ is protected.
If the Safe HarborÂ rules in place since 2000 are done away with, each country in the European Union could potentially set is own privacy rules and regulations, creating enormous barriers to U.S. firms doing business there.
The ruling could “unintentionally tilt the global privacy and data protection landscape to make the EU the global center of gravity,” Â said Jim Koenig of Paul Hastings, a Washington, D.C.-based law firm.
It could also force U.S.-based businesses to make expensiveÂ infrastructure investments and build European data centers to process data previously transferred to the U.S., saidÂ Scott Vernick,Â head of the data security and privacy practice at law firmÂ Fox Rothschild.
Laws in the European UnionÂ viewÂ personal data privacy as a fundamental right.Â U.S.Â laws consider it more anÂ issue of consumer protection.
To bridge that gap, theÂ Safe Harbor agreement was created.Â It providesÂ U.S. companies withÂ a single legal framework for sharing information with European firms, giving them legal protectionÂ to do business.
Some of the requirements of the agreement include thatÂ organizations which collect and use information about individuals tell them why the information is collected, giveÂ them choice to opt out of having their personal information disclosed to a third party, be able to correct or delete inaccurate information and take reasonable precautions to protect the information from lossÂ or unauthorized access
Today more thanÂ 3,000 businesses in the U.S. and the EU depend on the agreementÂ to avoid running afoul of European privacy laws, according to the Information Technology and Innovation Foundation.
That could change because of theÂ lawsuit brought last year against FacebookÂ byÂ Austrian law student and privacy advocate Max Schrems.
He argued that spying on Europeans by the National Security Agency, as disclosed by Snowden, meant his data privacy rights were not being adequately protected.
Schrems filed the case in Ireland, Facebookâs European headquarters.Â The Irish court rejected the suit andÂ Schrems appealed to the European high court.
“This decision is a major blow for U.S. global surveillance that heavily relies on private partners. TheÂ judgement makes it clear that US businesses cannot simply aid US espionage efforts in violation ofÂ European fundamentalÂ rights,” Schrems said in a statement posted on his Twitter account after Tuesday’s ruling.
There was no immediate reaction from U.S tech firms.
In an opinon on Sept. 23, the European Court’sÂ Advocate General for the case, Yves Bot, had already declared the Safe Harbor agreement invalid.
Bot wrote that, “once personal data is transferred to the United States, the National Security AgencyÂ and other United States security agencies such as the Federal Bureau of Investigation are able to access it in the course of a mass and indiscriminate surveillance and interception of such data.”
The U.S. Mission to the European Union issued a statement saying that “theÂ United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens.”
The PRISMÂ surveillanceÂ program isÂ “targeted against particular valid foreign intelligence targets, is duly authorized by law, and strictly complies with a number of publicly disclosed controls and limitations,” the statement said.