The Channel logo


By | Jennifer Baker 6th October 2015 08:30

Safe Harbour ruled INVALID: Facebook 'n' pals' data slurp at risk

Time to get off the jet ski and get the lawyers on the blower

In a landmark ruling that will have far-reaching repercussions, Europe’s highest court has ruled that data sharing between the EU and US under the Safe Harbour framework is invalid.

The decision in the Max Schrems case on Tuesday morning has been anticipated for months, but now legal eagles will have to work out how to manage the situation.

Safe Harbour is a fig-leaf agreement set up 16 years ago to create a way for US businesses to transfer EU citizens’ personal data to the US even though American data protection laws are not up to the European standard. Following the revelations by rogue sysadmin Edward Snowden that US businesses were being compelled to hand over personal data under the Prism programme, Austrian law student Schrems complained to the Irish data protection commissioner - Facebook’s EU operations are head-quartered in Ireland – that his privacy rights were being violated.

The Irish data protection authority (DPA) refused to act on the grounds that the social network is signed up to Safe Harbour/Harbor - a voluntary scheme whereby companies promise to protect EU personal data. Undeterred, Schrems took his case to the Irish High Court which referred it to the European Court of Justice (ECJ).

In today’s ruling, the ECJ says that national DPAs cannot use Safe Harbour as a reason for not investigating suspected mishandling of data.

The crux of the matter is that although companies may respect the Safe Harbour guidelines, “United States public authorities are not themselves subject to it”.

“Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons,” said the ECJ in a press statement.

In summary the court said that “the Irish supervisory authority is required to examine Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether transfer of the data of Facebook’s European subscribers to the US should be suspended on the grounds that that country does not afford an adequate level of protection of personal data.”

Technically that means that this particular ball is back in the Irish DPA’s court. But in reality, it means that the almost 5,000 companies relying on Safe Harbour for transferring EU data to US servers no longer have that safety net.

US businesses and authorities alike will be furious with the decision, lawyers will be rubbing their hands with glee and the European Commission will be shaking its head and wondering where it all went wrong. More to follow. ®

comment icon Read 82 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


Suit-and-tie-wearing man tries to meditate, take deep breaths in faux yoga pose. Photo by Shutterstock
Emotional intelligence, not tech skills, is the way to woo suits
League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe