A 15-year old agreement that makes it easier for thousands of US companies to run websites and online services has been declared invalid by a European Court.
The ditching of the Safe Harbor arrangement means US companies wanting to handle the personal data of most European customers will now have to rethink their data protection policies. In theory it could cause some firms to suspend operations for European users for some time.
Back in 2000 the European Union reached an arrangement with US officials over data protection. The deal meant that a company transferring data from a European Union member country to the US did not have to go through the data protection regulatory process in the European country.
That arrangement has been declared invalid by the European Court of Justice, the senior court which rules on matters of law relating to the EU. It reached the verdict in a case brought by Austrian privacy campaigner Max Schrems.
The case started following the Edward Snowden revelations, which included a claim that the National Security Agency had accessed personal data from US companies relating to European citizens.
As Facebook is based in Ireland, Schrems asked the Irish Data Protection Commission to check what information Facebook was sending to the US. The Commission refused to do so saying that the Safe Harbor arrangement meant such details were outside its remit.
Exactly what happens next is unclear. The BBC notes that although companies were aware of the possibility of Safe Harbor being thrown out, the judgment has come much sooner than anyone expected.
The practical effect is that any US company that transfers data from Europe to the US will now need to reach an individual agreement with data regulators in the relevant country. As part of that agreement, the company will need to prove that the way it handles the data in the US will meet the — often tougher — rules of the European country. That could include strengthening encryption and doing more to prevent security and law enforcement officials being able to access the data.
In the long term it’s possible the EU and US could reach a new agreement, though that would be a complicated political and legal process that might struggle to resolve different approaches to the balance of security against privacy.