Up until now web companies from the United States which collected and stored customer data were operating for the past 15 years under the ‘Safe Harbor’ directive – a set of principles designed to ensure that customer data is not disclose to other parties, or simply lost. That was until now, that is October 6, as the European Court of Justice (EJC/CJEU) invalidated the Safe Harbor. This can have a huge impact on US web companies – cloud storage, online retailers and many others, including Facebook.
But first let’s have a look what the issue with Safe Harbor was. As the article on appy-geek.com explains, the directive has been challenged (along with a case against Facebook in Ireland) by an Austrian law student Max Schrems. The accusations were that major US web companies provide access into user data to US government, or NSA (National Security Agency) to be more specific. As we read in the text, these claims were based on revelations by ex-NSA’s contractor Edward Snowden.
Now, what does that mean to users? Just a day before the verdict has been given, an article by Boris Segalis (US), Marcus Evans (UK) and Jay Modrall on dataprotectionreport.com speculated on the possible outcomes:
The practical effect of such a decision would, however, depend on the actions of DPAs and others. We believe that DPAs would be unlikely to take immediate action to suspend transfers by companies under their jurisdiction in reliance on the Safe Harbor. However, there would likely be a wave of complaints and possible requests for interim action such as injunctions before national courts.
To make it more clear – since the Safe Harbor framework has been invalidated (with immediate effect), the affected companies will have to negotiate the terms with DPAs (Data Protection Authorities) in each country – separately.
Or as the text at appy-geek.com puts it:
With the ruling, the CJEU is effectively passing the responsibility for agreeing data-transfer partnerships to individual countries, which could prove a regulatory nightmare for US companies operating in the continent. Law firm Morrison Foerster said that by invalidating the data-sharing mechanism currently in place, the CJEU "puts these companies in an impossible position".
Does that mean all US web companies will cease to operate in Europe? The article at dataprotectionreport.com puts some doubt in here:
Even though an ECJ ruling invalidating the Safe Harbor would likely be applicable immediately, we believe regulators are unlikely to take immediate action to stop transfers from their jurisdictions in reliance on the Safe Harbor
Which would mean that the business can possibly go as usual, until new agreements are made. Unless, however: 'activists like Mr. Schrems could try to seek injunctive relief to block exports more quickly. The likelihood that Safe Harbor-certified companies will become targets for such action varies significantly from organization to organization.'