Transatlantic data channels will stay open, says European Commission
European Court of Justice ruling leaves commission trying to calm businesses
Austrian Max Schrems waits for the verdict of the European Court of Justice in Luxembourg yesterday. Photograph: EPA/Julien Warnand
The European Commission has vowed to keep open transatlantic data channels after the European Court of Justice ruled invalid on Tuesday the 15 year-old Safe Harbour agreement with the US.
Hours earlier the European Court of Justice found Safe Harbour, a self-regulating data transfer framework for US companies, contradicted EU data rules and fundamental privacy rights.
The ruling left the commission scrambling to minimise economic disruption and legal uncertainty for companies affected, and increased pressure on Brussels to conclude talks with the US on a successor to Safe Harbour that meets EU privacy standards.
Commission vice-president Frans Timmermans called the ruling an “important step” towards securing a new deal with the the US that balanced citizens’ privacy rights with guarantees for business.
“We will come forward with clear guidance for national data protection authorities on how to deal with data transfer requests to the US in the light of the ruling,” said Mr Timmermans. “In the light of the ruling, we will continue this work towards a renewed and safe framework for the transfer of personal data across the Atlantic.”
The commission said it would post information on its website on how to keep data flowing through other channels, including standard data protection clauses in existing contracts and derogations in existing electronic data rules that allow transfers to complete contracts, such as when booking online a US hotel.
The European Court of Justice ended that practice yesterday when the court scrapped the 15 year-old deal.
Safe Harbour allows privileged and expedited data transfer for around 4,500 US firms operating in Europe, but the court said this privilege was undermined by claims from Mr Snowden that US intelligence services had access to the transferred data.
The European Court of Justice verdict also creates problems for Facebook’s international operations, based in Dublin, and puts the spotlight on the Irish Data Protection Commissioner , which regulates Facebook and other US tech giants based in Ireland.
The case arose when Austrian privacy campaigner Max Schrems filed a complaint with the Irish commissioner against Facebook’s use of his data following the Snowden claims. The commissioner said it had no means of intervening on Safe Harbour, which it said was the business of the European Commission.
Mr Schrems said yesterday the ruling would not make data flows illegal and dismissed as “alarmist lobbying” claims that striking down Safe Harbour would break the internet but remove a privilege enjoyed by US companies over other companies in other countries.
“I think the US now has to decide whether or not they want extra benefits for their companies in Europe, and whether they are ready to give up some of their surveillance,” he said.
The ruling now returns the case to the High Court, where Mr Schrems took a judicial review against the commissioner’s original decision. The High Court will now instruct Ireland’s regulator to investigate fully Mr Schrems complaint over Facebook and decide whether its data transfers of EU member data should be suspended.
“The ruling creates an obligation now on the Irish DPC to act on a complaint and, if it finds it to be founded, for parliament to put in place a legal remedy,” said Mr Gerard Rudden, partner at Ahern Rudden solicitors in Dublin and a member of the Schrems legal team
In a statement, Facebook said it relied on many legal methods for data transfer but was anxious to see legal clarity on the practice.
“It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security,” said a Facebook spokesperson.