The Court of Justice of the European Union, in Luxembourg, is the EU's highest court. Credit: Court of Justice of the European Union
"Aside from taking an ax to the undersea fiber optic cables connecting Europe to the United States, it is hard to imagine a more disruptive action to trans-Atlantic digital commerce."
That was the measured reaction of the Washington think tank the Information Technology and Innovation Foundation to the news that the Court of Justice of the European Union had torn up the Safe Harbor privacy protection agreement on the transfer of personal data from the EU to the U.S.
But the European Commission seemed unperturbed by the abrupt end of the agreement it struck with the U.S. government in July 2000 to ensure that the personal data of Europeans was granted the same legal protections in the U.S. as it was in the EU.
Commission members Frans Timmermans and Věra Jourová took time out from discussing the ongoing refugee crisis in Europe to tell citizens that their main priority is protecting personal data transferred across the Atlantic, and to reassure businesses that their other main priority is continuing the flow of data -- with appropriate safeguards. Timmermans said the court's ruling is "an important step towards upholding Europeans' fundamental rights to data protection" while Jourová said it gave the Commission a better potential for continuing negotiations on a "safer Safe Harbor" agreement with U.S. authorities.
The two dismissed suggestions that the ending of Safe Harbor would bring an abrupt halt to the trans-Atlantic transfer of personal data, pointing out that European legislation also provides for a number of other ways of guaranteeing the privacy of such data.
Edward Snowden's revelations in 2013 of the extent to which U.S. intelligence services were able to access personal information held by companies such as Google and Facebook led the Commission to identify the shortcomings of Safe Harbor and to begin renegotiating the agreement with U.S. authorities, Jourová said.
That same year, a young Austrian law student, Max Schrems, filed a complaint with the Irish Data Protection Commissioner about the way his personal data was being handled by the Dublin-based Facebook Ireland. The DPC promptly rejected Schrems's complaint, saying Facebook's transfer of his data to the U.S. complied with the Safe Harbor rules. Schrems sought a judicial review of the decision from the Irish high court, which in turn asked the CJEU to rule whether the DPC was right to defer to the Commission's Safe Harbor agreement or whether it should have investigated the complaint.
Sign up for CIO Asia eNewsletters.