A 15-year-old agreement used to regulate data collection by US companies has been ruled as "invalid" by the European Court of Justice (ECJ).
The ruling makes clear that it is the responsibility of national data protection bodies to ensure that the privacy of their citizens is respected by US companies. Although the ruling does not mean that US companies will suddenly stop transferring data over the Atlantic, it acts as a platform for further legal reform.
Facebook is at the centre of the complaint that started the whole process off, but the ruling applies equally to many other US-based companies.
What is 'Safe Harbor'?
Plenty of countries have their own data protection laws. These ensure that citizens' data is protected by all kinds of safeguards when it's collected by a company. However, back in 2000, the Clinton administration created a special agreement with the European Commission called Safe Harbor.
This agreement allowed US companies to self-certify that they were carrying out all the necessary data protections, in order to provide a "streamlined and cost-effective means" for them to transfer data from Europe.
What Does the "Invalid" Ruling Mean?
In essence, the ECJ ruling says that Safe Harbor cannot override the role of national data protection bodies in their responsibilities to ensure citizens' data is properly handled.
In the words of the Court, Safe Harbor "cannot eliminate or even reduce the powers available to the national supervisory authorities." So if people are worried about US companies handing their data over to, say, the NSA, they should be able to complain to local bodies.
"The [European Court of Justice] has batted back to the data protection authorities: You've got to ensure that fundamental rights are protected in each arrangement," Jim Killock, executive director of Open Rights Group, told Motherboard in a phone interview.
Today's ruling is the result of one specific complaint. After the Edward Snowden revelations of 2013, plenty of people became concerned with how the data of US companies was being collected by the NSA. One of those was Max Schrems, an Austrian citizen who filed a complaint with Ireland's Data Protection Commissioner against Facebook's Irish subsidiary, alleging that the company violated data protection laws by exporting data over to its US parent company, and then provided this data to the NSA.
That body rejected the complaint, and pointed out that any protections of Schrems' data would be adequately handled under Safe Harbor. So Schrems took the issue to the European Court of Justice.
"Declaring it invalid is the strongest thing they could possibly do."
The key takeaway of the ruling, according to Hosein, is that Safe Harbor provides insufficient rights of redress for Europeans.
"The European Court of Justice only overlooks European Union law, and it can only 'invalidate' something. It's not in a position to say that something is unlawful," he said.
Nevertheless, "Declaring it invalid is the strongest thing they could possibly do," he added. "Basically, it says that the agreement made is not a valid agreement, and so they have to go back to the drawing board."
What Happens Now?
Hosein feels that companies should be well-prepared for this moment. "The smarter companies who have very expensive lawyers working for them have most likely created work-around arrangements until the legal situation is fixed," he said.
"It's incredibly unlikely that anyone is just going to pull the plug," Killock added.
A spokesperson from Facebook said that, "Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbor."
The spokesperson continued, "It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security."
Hosein explained that the ruling doesn't directly affect the issue of NSA surveillance itself. "It doesn't stop the US government from being able to demand this information," he said.
"That is why what is truly needed is US legal reform," Hosein continued. "Ideally, this move will make US Congress realise its lack of data protection laws is discriminating against non-Americans and affecting US industry," Hosein added.
What this ruling does, Killock feels, is "[force] an argument between the EU and the USA, to come to an arrangement where peoples' privacy is respected."