Major US firms are calling on the European Commission for urgent guidance after the Safe Harbor transatlantic data-transfer scheme was today suspended by Europe's top court.
The European Court of Justice has ruled invalid the US-EU Safe Harbor scheme that thousands of companies, including all US tech giants, rely on to transfer personal data to the US.
"The Court of Justice declares that the Commission's US Safe Harbour Decision is invalid," the EU Court of Justice (ECJ) said today.
The highly-anticipated decision follows the recommendation by ECJ adviser Yves Bot late last month that the court should rule the arrangement illegal and which accused US surveillance services of conducting "mass, indiscriminate surveillance".
The case was referred to the ECJ following a judicial review at Ireland's High Court in a dispute between Austrian law student Max Schrems and Ireland's Data Protection Commission (DPC).
The DPC had knocked back a request by Schrems to investigate Facebook's transfer of data to the US, following former CIA hand Edward Snowden revelations about the existence of the US PRISM surveillance program, which was participated in by Google, Facebook, Yahoo, Microsoft, and several other US tech firms.
The DPC rejected Schrems' request on the grounds of a European Commission ruling in 2000, which deemed that protection of data in the US was adequate and equivalent to fundamental rights guaranteed under Europe's data protection directive. As the DPC argued, the EC ruling had the effect of preventing it from investigating firms covered by Safe Harbor.
However, the ECJ ruling today confirmed that national data protection authorities "must be able to examine, with complete independence, whether the transfer of a person's data to a third country complies with the requirements laid down by the directive".
"The Court holds that the Commission did not have competence to restrict the national supervisory authorities' powers in that way," it said.
The ruling also means that Ireland's DPC will be required to investigate Schrems' complaint and decide whether or not to suspend the transfer of Facebook's European user data to servers in the US "on the ground that that country does not afford an adequate level of protection of personal data".
Ireland's high court, however, will be required to deliver its own decision on the dispute but is required to follow the ECJ's finding on the matters referred to it.
EC Commissioner of Justice Věra Jourová is expected to make a statement on the decision later today.
Following Snowden's revelations of US spying, the EC and US began renegotiating the Safe Harbor agreement but were unable to meet the initial May timeframe for a deal.
Currently over 4,000 US organisations have self-certified compliance with the the Safe Harbor scheme in the US, which is overseen by the Department of Commerce. Companies gain certification to send to the US user data, say to support customer service functions, or human resource data for employees.
The US Embassy to Europe last week called on the ECJ not to invalidate Safe Harbor, warning it would undermine the EC's ability to strike trade agreements and cause harm to the protection of individual rights and the free flow of information.
It also claimed Bot made a number of "inaccurate assertions" about the practices of US intelligence services, pointing out that PRISM only targeted valid foreign intelligence targets.
The question for the tech industry, given today's decision, is what other mechanisms are available to legally transfer European data to the US. One option, for example, are Europe's Model Clause contracts for transferring personal data to third countries. That option, however, is likely to be more cumbersome than Safe Harbor.
International business consultant at Radius Stuart Buglass said the transfer agreement must comply with the EU Commission model clauses and contractually binds the US receiver to the same EU data privacy standards and liabilities as apply to the EU data controller.
"Obviously introducing new contractual undertakings to existing supply chains won't be easy but given the decision by the ECJ today we can see no other realistic option," Buglass said.
An even worse prospect is that companies could be required to gain the consent of every person whose data will be transferred to the US, he added.
The Computer and Communications Industry Association, whose members include Amazon, Google, Facebook, eBay, Yahoo, and Netflix, today called for the EC to issue guidance for companies that relied on the defunct agreement.
"We urge the European Commission to immediately issue guidance to companies that depend on Safe Harbor for their commercial data flows," said CCIA Europe Director Christian Borggreen.
"We expect that a suspension of Safe Harbor will negatively impact Europe's economy, hurt small and medium-sized enterprises, and the consumers who use their services, the most."
Trade body BSA said it is very disappointed by today's decision and concerned that it will hit not just providers of data services but consumers of those services.
"Today's decision further underscores the importance of ongoing negotiations to craft a renewed and strengthened framework. The Safe Harbor agreement is extremely important to ensuring European citizens have full access to the range of data services now transforming the European economy," BSA EMEA policy director of policy Thomas Boué said in a statement.
However, EU and US consumer group TACD welcomed the ECJ decision and called on the US to enact privacy legislation to ensure fundamental rights for individuals in both the continents.
"Safe Harbor was designed to enable US data companies to engage in nothing less than pervasive commercial surveillance in the EU. The US authorities do not investigate or have the enforcement resources or legal tools to protect Europeans' data. The end of the current Safe Harbor regime will be a major global victory for privacy," US chairman of the TACD Information Society Policy committee Jeffrey Chester said in a statement.