As many people expected, the European Court Of Justice, the highest court controlling European Union law, ruled in favor of Max Schrems and said that the Safe Habor Agreement, negotiated between the United States and the European Union in the mid 1990s is invalid and does not provide EU citizens with the protections mandated by the EU data protection directive.
I am currently on a conference call with 2,000 other privacy professionals discussing the impact of this ruling.
The short version is that technically, many companies are now transferring data in violation of the law between Europe and the United States, but that executives should not panic. Yet.
One part of the ruling is that the EU country data protection authorities (DPAs) do not have to bow down to the European Commission’s decision from the mid ’90s and MAY rule on whether adequate protections are in place – which then have to be referred to the European Court Of Justice, as Max Schrems did.
Another part of the ruling says that disclosures to law enforcement (read this as the NSA, FBI and others) needs to be necessary, proportionate and subject to judicial redress. Needless to say, that is not what happens today.
It would seem to me that those same rules ought to apply to European surveillance activities, but I don’t think that court directive addresses that.
The US and EU have been working for two years trying to negotiate a new safe harbor agreement and last month initialed a form of agreement, pending the US passing new laws protecting the rights of EU citizens. Given the ruling today, I assume that this agreement will need to be revisited.
The privacy experts are saying that companies that transfer data between the US and the EU need to start – like tomorrow – looking at their situation with expert counsel and planning the future.
They also point out that this particular judgement ONLY affects Max Schrems lawsuit against Facebook and does not invalidate all other agreements in the world. It does, however, create a framework or standard for the EU country’s DPAs to assess other lawsuits.
I also expect, now that Schrems has a ruling in his favor, that other lawsuits will be filed.
The United Kingdom data protection authority said that THEY do not plan to shut down the Internet, that people should not panic, etc.
The experts expect that a lot of conversations will begin between the 28 data protection authorities, the European Commission and the United States.
strictly necessary, proportionate and subject to judicial redress