The Court of Justice of the European Union, in Luxembourg, is the EU's highest court. Credit: Court of Justice of the European Union
Privacy activists are overjoyed, but for businesses it's what one lobbyist described, only half jokingly, as "the doomsday scenario:"
The transatlantic transfer of European Union citizens' personal data was thrown into a legal void Tuesday when the Court of Justice of the EU declared invalid the 15-year-old Safe Harbor agreement with the U.S. because it provided inadequate privacy protection.
The ruling exposes businesses reliant on Safe Harbor to the threat of legal action. The fact that European Commission and U.S. officials are in the middle of negotiating stronger privacy protections offers little comfort, as the ruling also opens that to challenges in national courts. Only a complete rewrite of the EU's data protection regime, already in progress, might help -- but it won't take effect for up to two years after the final text is agreed, and that is still many months off.
The Safe Harbor agreement matters because it is the simplest of a number of legal instruments available to companies to prove that they comply with EU data protection laws, which require that personal data only be exported when it will benefit from the same level of privacy protection as it does within the EU.
Companies do have other legal options, including the use "binding corporate rules," which can be time-consuming and expensive to implement, and model contract clauses ratified by the European Commission, which may not always be suitable in individual cases. Safe Harbor, on the other hand, provides for a simple self-certification and registration process, which over 4,000 companies have already undertaken.
However, the protection afforded under that agreement is flawed, the CJEU ruled Tuesday, saying that it is only binding on the companies involved, and not on U.S. law enforcement and national security agencies. Data is thus vulnerable to legally sanctioned spying, the CJEU concluded.
"The ruling creates uncertainty for the European and international companies that rely on Safe Harbor for their commercial data transfers, most of which are small and medium-sized enterprises," warned Christian Borggreen, European director for the Computing and Communications Industry Association, an industry lobby group with Amazon.com, Facebook, Google, and Microsoft among its members.
Lawyer Mary Hildebrand said her clients have been grappling with the uncertainty around Safe Harbor and the rewrite of the EU's data protection rules for some time.
"Uncertainty is the enemy of business, because people have to close transactions. It's good to know what the rules of the road are," said Hildebrand, of law firm Lowenstein Sandler, ahead of the CJEU ruling.
Sign up for CIO Asia eNewsletters.