The European Court of Justice has this week ruled the Safe Harbour agreement to be invalid. The ruling means that some 4,500 US companies that rely upon Safe Harbour will need to put alternative mechanisms in place in order to move information from Europe to the US.

What is Safe Harbour?

European legislation prohibits the transfer of personal data to a country outside the EU unless the country ensures an "adequate level of protection of personal data". The Safe Harbor scheme is a set of principles and rules for processing personal data. US organisations wishing to transfer personal data from the EU to the US may subscribe to the scheme voluntarily with the US Department of Commerce. An agreement was reached between the US and the European Commission in 2000 that US companies that subscribed to Safe Harbour would be considered to be operating within the requirements of the European legislation requirements.

So what’s changed?

In 2013 Ed Snowden leaked details of a surveillance scheme operated by the US’ National Security Agency (NSA) called Prism. He alleged that the NSA had gained access to personal information regarding Europeans (and other foreign nationals) from the giant tech companies.

An Austrian privacy campaigner, Max Schrems, asked Ireland’s data protection regulator to investigate Facebook (whose European HQ is in Ireland). The Data Protection Commissioner declined claiming that Facebook’s transfer of his personal data to the US was covered by Safe Harbour. Mr Schrems contested that decision and the case was referred to the ECJ.

The ECJ has ruled that the European Commission’s agreement that Safe Harbour was sufficient protection is invalid.

What does this mean?

The ruling is far wider than Facebook. In fact, there is no allegation that Facebook has done anything wrong.

As stated, some 4,500 US companies are currently signed up to Safe Harbour. They will now have to put in place alternative means of ensuring that they comply with the European data protection legislation. The most common method will be signing up to model contract clauses. However, this will cause an administrative burden. Particularly as knocking down Safe Harbour has the following effects:

• Individual European countries can set their own regulation for US companies' handling of their nationals’ data. This means that US companies may have to comply with different regulations for each European country. This will mean numerous different contractual requirements;
• Countries can choose to suspend the transfer of data to the US — forcing companies to host user data exclusively within the country. Russia has recently introduced this requirement.

No. Many companies send data about their employees and their customers to the US. Companies with a US parent often use IT systems located at the US headquarters to administer personal data such as HR and CRM. Likewise, significant numbers of companies outsourcing their IT systems to cloud service providers which frequently use US-based servers to store the data. Even companies that, for example, send payroll data to the US for administrative purposes will be caught by the collapse of Safe Harbour.