On October 6 the Luxembourg-based European Court of Justice ruled, in a case brought by an Austrian privacy campaigner against U.S. social media company Facebook, that the EU-U.S. data processing “safe harbor” agreement in place since 2000 was invalid, because it was insufficient to protect the privacy of EU citizens’ data held in the United States. In particular, with a nod to the Edward Snowden revelations, the court noted that data held in the U.S. was subject to “interference” from “public authorities.”
The safe harbor agreement served as a sort of guarantee that EU citizens’ data held in the U.S. would be afforded the same protections as if they were stored in the European Union (where privacy protections are in general much more substantial). Thousands of European and American companies — not only giants like Facebook and Google — relied on the safe harbor agreement to move customer data with relative ease from Europe to the U.S. Now that the agreement has been invalidated, these companies will have to put into place other arrangements, such as ad-hoc agreements or privacy-protecting model contract clauses, to satisfy EU data export requirements — or arrange for data storage and processing to take place in the EU. This may be particularly complicated for smaller firms who outsource data storage and processing to “cloud” providers like Amazon Web Services.
In the meanwhile negotiations continue toward a new safe harbor agreement, though prospects are unclear so long as the U.S. declines to provide some method of redress for EU citizens whose privacy rights are impinged upon, either by private companies or in the name of national security. As of this writing, the U.S. government safe harbor website, at http://www.export.gov/safeharbor, is woefully out of date.
Matthew Davidson
mdavidson@clarkpartington.com
(850) 208-7014
