Facebook, Google, Oracle and US tech companies will need to "urgently review" their data transfer arrangements from UK and Europe or risk breaching data protection laws, following yesterday's landmark court ruling.
The ruling puts an end to a longstanding legal battle between a privacy campaigner, Max Schrems, and social network Facebook. Schrems made several complaints against Facebook's privacy laws and filed them to an Irish court - as Facebook is officially headquartered in Dublin. When the Irish Data Protection Commissioner refused to uphold Schrems' complaints, he requested a judicial review and the case has since escalated to the highest court in Europe.
What is Safe Harbour?
Over 4,000 US companies rely on the Safe Harbour framework for the transfer of personal data from the EU to the US. It is a self-regulatory agreement that promises to ensure that customer data doesn't leave the company in control of it.
But the data protection agreement has suffered criticism following Edward Snowden's NSA and GCHQ surveillance revelations. When EU citizens discovered that Safe Harbor certified companies - which promised to protect customer data - allowed government authorities to access their data, the European Parliament stepped in to condemn the practices and aired concerns over the protection offered under the agreement.
The ruling against Safe Harbor deems the method of data transfer invalid and this could have a significant effect on US company's business from UK and European customers, a data protection expert at law firm Kemp Little explains.
"Such a ruling by the European courts could have significant political and financial impact as many business will have to hastily implement an alternative method of ensuring compliance with EU data protection laws, such as executing model clauses between the data exporter and data importer or implementing binding corporate rules between group companies," says Mahisha Rupan.
"Failure of EU businesses to put in place one of these alternative solutions for sharing personal data with the US could mean that these companies are in breach of EU data protection laws.
"While US tech companies are unlikely to be bound by EU laws and thus unlikely to be in breach of European data protection laws, they may find themselves losing business from EU customers," she says.
Fortunately, the US Commerce Secretary is working with her EU counterparts to ensure that individuals are protected while businesses have certainty around the future of their data transfers, which Rupan says implies a new and reformed Safe Harbor package is imminent.
The EU Commission and the US Department of Commerce have been negotiating Safe Harbour reform for several years and this morning's ruling is likely to increase pressure to expedite these negotiations.
Sign up for CIO Asia eNewsletters.