New EU high court ruling may end all data transfers to U.S.

October 7, 2015

EU CybersecurityYesterday, the Court of Justice of the European Union (CJEU), Europe’s highest court, invalidated the 15-year-old Safe Harbour agreement that allowed the free exchange of electronic data between the U.S. and EU.

This ruling is actually a really big deal, in spite of the fact that it’s been underreported by major news media outlets: the Safe Harbour, which ensured that data transferred to the U.S. from the EU was treated the same as data transfers kept within the EU, was the primary legal mechanism relied upon by thousands of European and American companies to easily move data between the two regions.

And now that mechanism is gone.  But from how tech giants like Facebook and Microsoft, who, according to The New York Times, have downplayed the impact of the ruling, saying “side agreements with the European Union should allow the companies to continue moving data across borders,” you wouldn’t think that the ruling was that big of a deal.

However, none of these agreements may be safe: the Times also cited Brian Hengesbaugh, a privacy lawyer “who helped to negotiate the original safe harbor agreement,” who stated that “[t]he ruling is so sweepingly broad that any mechanism used to transfer data from Europe could be under threat.”

What makes the ruling so “sweepingly broad?”  Because it essentially found that data transfers to the U.S. about EU citizens could not be guaranteed “an adequate level of protection.”   Why is the CJEU making this finding 15 years into the Safe Harbour’s existence?  The reason pertains to the revelations made by Edward Snowden in 2013, which, in part, exposed practices by the National Security Agency, among other federal agencies, in which personal information is collected from private companies such as Facebook and Google.

A bit of background: the EU has far stronger individual privacy protections than the U.S.  In fact, the EU Charter of Fundamental Rights, the closest U.S. analogue of which are the Bill of Rights and later constitutional amendments, contains a specific provision that dictates “[e]veryone has the right to the protection of personal data concerning him or her.”  It is largely because of this provision that the CJEU found the Safe Harbour agreement to be invalid: because U.S. companies couldn’t actually guarantee that information collected from EU users would be beyond the reach of the U.S. government.

Here’s the final punchline on why the ruling is so broad: because the CJEU could have taken any number of other remedial steps short of throwing out the agreement to address the concerns with U.S. government spying.  But it didn’t, and the fact that the CJEU is willing to go this far explains why “any mechanism used to transfer data from Europe could be under threat.”  The Safe Harbour agreement was the biggest one, and it seems that it may only be a matter of time until any of the aforementioned “side agreements” are similarly disposed of.

So what will be the result?  Unless the U.S. can guarantee actual privacy protection for EU data transferred here (which seems highly unlikely given the NSA’s influence), we’re likely to be seeing companies being forced to segregate U.S. data from EU data, which may have a significant economic impact on these companies.

Of course, the EU could negotiate another Safe Harbour agreement with the U.S., but considering the breadth of this recent ruling, it would have to be worded very carefully to survive a legal challenge.

If the data segregation turns out to be the end result of this ruling, it remains to be seen whether U.S. companies can put enough pressure on the government to effect stronger privacy regulations such that data may be exchanged freely once again between the U.S. and the EU.