© AP

For the past 15 years, a little-known agreement called “safe harbour” has quietly enabled the likes of Facebook, Amazon and Google to become wildly popular in Europe.

But the agreement, which allows companies to transfer customer data from the EU to the US, has in effect been scuppered by the European Court of Justice in a judgment released on Tuesday.

The ECJ, endorsing a ruling last month by a top adviser to the court, concluded that the “safe harbour” agreement was invalid because it prevented data protection authorities from intervening to protect citizens who claimed their right to privacy had been breached.

So what is the agreement, how did it get into trouble and why does it matter?

Why do companies transfer data?

Data has to be stored somewhere. Everything we put online — from pictures of nephews to credit card details — eventually finds its way on to a server.

Since the internet is dominated by US companies, these servers tend to be based in the US. Transferring data across the Atlantic is generally a quicker and cheaper option than building a wholly independent set-up in Europe, especially for younger companies.

What is safe harbour?

Safe harbour is an agreement between the US and the European Commission that lets businesses transfer data on European citizens across the Atlantic.

The EU’s rules on data protection make it illegal to transfer personal details to any country that does not meet the bloc’s privacy standards.

Safe harbour, which was set up in 2000, provides a shortcut for companies operating in the US. If they agree to meet certain rules — such as notifying customers when their information is collected and used — they can then transfer data from the EU to the US.

So why is it important?

Roughly 4,400 companies use safe harbour, including some of the world’s biggest technology groups such as Facebook and Amazon.

Without safe harbour, data transfers across the Atlantic would become much more cumbersome for both big and small businesses. Companies could be forced to operate effectively as separate entities in the US and the EU, according to the agreement’s defenders.

More broadly, data transfer is a key issue in the sprawling trade deal the EU and US are negotiating. The court’s decision is likely to add yet another degree of complexity to the Transatlantic Trade and Investment Partnership.

How did this legal challenge come about?

Max Schrems, a 27-year-old Austrian law student, took the Irish Data Protection Commissioner — which regulates Facebook — to court.

Mr Schrems argued that the regulator had failed to protect him from the mass internet surveillance by the US National Security Agency revealed in 2013 by Edward Snowden.

Although Facebook’s international business is established in Ireland, the social network stores most of its customer data in the US, where Mr Schrems argues it was not sufficiently protected from US surveillance.

But the Irish data protection agency said it could not suspend transfers by Facebook to the US since the social network is part of safe harbour.

That all sounds controversial

It is. After last month’s interim ruling, Washington took the extraordinary step of accusing the ECJ of getting its facts wrong while the case was effectively still ongoing.

The US state department said it was “simply not the case” that the US had carried out “mass indiscriminate surveillance”, which according to the interim judgment was the reason that data protection could not be assured in transfers of data under safe harbour.

But on Tuesday the court doubled down on its previous opinion, saying that safe harbour “enables interference, by United States public authorities, with the fundamental rights of persons”.

What will happen next?

Everything is now up in the air.

Brussels and Washington have been stuck in negotiations for months, trying to hammer out a new deal that pleases both privacy campaigners and businesses.

Before Tuesday, if you asked any European Commission official about safe harbour’s future, you would have received a bullish response. Their line was simple: any criticism from the ECJ is aimed at the old safe harbour; they are devising a new one, with greater safety measures.

But Brussels cannot be seen to simply ignore the EU’s top court — especially when it issues such a clear verdict — and the commission will come under even more pressure from MEPs.

The ECJ’s ruling will complicate negotiations that have already dragged on for months longer than they were expected.

Who else will be affected?

The 4,400 businesses that rely on safe harbour will have to overhaul their businesses to avoid breaking the law in the short term.

Big businesses say they will manage. Companies such as Facebook and Amazon have already spent millions building data centres in Europe to satisfy demands from corporate customers who want to keep information there. Changing the way they handle customer data will not be too much of a stretch.

But smaller companies are more likely to suffer. Many small businesses use safe harbour as a way of getting a foothold in Europe without having to set up expensive separate operations on the continent. But that harbour is now shut.

But what about beyond the business world?

Throughout the process, American diplomats have been quick to point out that the US was far from the only country to snoop extensively on electronic communications: European intelligence agencies do it too.

These operations may also face the ire of the ECJ, which made clear on Tuesday that mass surveillance contravened the fundamental rights of EU citizens — no matter who does it.

Tuesday’s ruling will ring alarm bells from Silicon Valley all the way to GCHQ’s headquarters in Cheltenham.

Copyright The Financial Times Limited 2023. All rights reserved.
Reuse this content (opens in new window) CommentsJump to comments section

Follow the topics in this article