European court bans data transfers to the US because of concerns over privacy
Importance: For multi-national companies operating within the EU
Recommended link: Finalisation of the EU-US negotiations on the data protection "Umbrella Agreement"
Good news for those worried about the NSA reading their messages, bad news for companies routinely transferring data between the EU and US. Yesterday the European Court of Justice invalidated a ‘safe harbour’ agreement between the US and EU that meant American companies could transfer data between servers in the US and Europe.
How has this happened?
Max Schrems, an Austrian Student, brought the action against Facebook arguing that Facebook was not complying with EU privacy law. After revelations about the spying conducted by the NSA, he argued that transfer of data from Facebook servers in Ireland to the US was against EU regulations, as it meant the US government could be spying on the data of European citizens.
The issue went to court in Ireland but was concluded in Facebook’s favour because of the US-EU safe harbour agreement. This is an agreement about data protection, and means data can be transferred provided firms sign up to abide by the 7 principles of the safe harbour agreement. Mr Schrems appealed the decision and it was taken to Irelands highest court. The decision taken by the European court of Justice invalidates the safe harbour agreement and has left the matter for Irish regulators to conclude. The court decided that US government spying essentially rendered the safe harbour agreement invalid because US security agencies can access data in the US without having to abide by the seven principles of the safe harbour agreement. They ruled that:
‘The Court observes that the scheme is applicable solely to the United States undertaking which adhere to it, and the United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by the scheme where they conflict with such agreements.”
What happens now?
Whilst it is now down to the Irish court to decide, the invalidation of the US-EU safe harbour agreement (which Facebook’s defence relied on) means the result is a forgone conclusion. The paragraph above puts it in no uncertain terms, the US has invalided the Safe Harbour agreement and so doesn’t have a leg to stand on. In the world of international data protection law, you don’t really get a clearer ‘no, you can't do that’ than the one just delivered by the European Court of Justice yesterday.
Who will it affect?
The ruling will prevent the sending of data on EU persons to the US for processing or storage. This will affect any companies operating in both markets, which store data on their customers that is processed or stored in the US. Facebook will clearly be affected immediately. To comply it may well have to invest in new data processing facilities within the EU as it will no longer be able to send it’s EU data to the US. This ruling will probably lead to a new political agreement between the EU and US, but that may end with companies having to abide by considerably more stringent criteria, regarding the privacy of data than they previously had to.
In the mean time, foreign companies operating within the EU will have to either invest in EU based servers for their EU operations, or comply with tougher EU privacy requirements across the board and adopt their standards globally. Either of these will mean incurring significant costs. The IAB was scathing about the effects of the ruling, releasing this statement:
Today’s decision by the European Court of Justice jeopardizes thousands of businesses across the Atlantic. For nearly 15 years, the Safe Harbor agreement has provided IAB member companies with an efficient means to comply with EU privacy law. Thanks in part to the Safe Harbor agreement, The US and EU are among the world’s most vibrant digital advertising marketplaces, together representing $84 billion in annual revenue, or nearly two thirds of global digital advertising revenues. This robust digital advertising ecosystem has provided citizens across Europe with countless free digital services, including news, entertainment, email, and social networks. The weakening of the Safe Harbor agreement limits European consumers’ access to valuable digital services and impedes trade and innovation. We urge the US and EU to agree on new rules for the transatlantic transfer of data, taking into account the CJEU’s judgment.
from Smart Insights http://ift.tt/1Q77A4j
via IFTTT
Nessun commento:
Posta un commento