Facebook data transfers threatened by Safe Harbour ruling

Friday 22 November 2024 ,

Online Version

Facebook data transfers threatened by Safe Harbour ruling

BBC

Austrian Max Schrems (left) arrives with his lawyer Herwig Hofmann (right) before a verdict at the European Court of Justice (SCJ) in Luxembourg, yesterday. Austrian activist Schrems is suing for damages against the US firm on behalf of 25,000 Facebook users, arguing that Facebook collects and uses private data without adequate consent from users. Schrems also charges that Facebook has provided data to the National Security Agency (NSA), the US digital intelligence unit. AFP PHOTO

A pact that helped the tech giants and others send personal data from the EU to the US has been ruled invalid.
The European Court of Justice said that the Safe Harbour agreement did not eliminate the need for local privacy watchdogs to check US firms were taking adequate data protection measures. It also added that the ruling meant Ireland's regulator now needed to decide whether Facebook's EU-to-US transfers should be suspended, reports BBC.
The pact has existed for 15 years. And Facebook has denied any wrongdoing. "This case is not about Facebook," said a spokeswoman.
"What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows. "We will of course respond fully to any enquiries by our regulator the Irish Data Protection Commission as they look at how personal data is being protected in the US. "The outcome... will have significant implications for all Irish companies who transfer data across the Atlantic. "The ruling was the result of a legal challenge by an Austrian privacy campaigner concerned that the social network might be sharing European's personal data with US cyberspies.
"I very much welcome the judgement of the court, which will hopefully be a milestone when it comes to online privacy," said Max Schrems on learning of the judgement.
"It clarifies that mass surveillance violates our fundamental rights." But others warned it could have far-reaching consequences.
"Thousands of US businesses rely on the Safe Harbour as a means of moving information to the US from Europe," said Richard Cumbley from the law firm Linklaters. "Without Safe Harbour, they will be scrambling to put replacement measures in place."
The European Commission is expected to give a press conference later in the day to explain how it plans to react to the ruling.
The term refers to an agreement struck by the EU and US, that came into effect in 2000. It was designed to provide a "streamlined and cost-effective" way for US firms to get data from Europe without breaking its rules.
The EU forbids personal data from being transferred to and processed in parts of the world that do not provide "adequate" privacy protections.
So, to make it easier for US firms - including the tech giants - to function, Safe Harbour was introduced to let them self-certify that they are carrying out the required steps. More than 5,000 US companies make use of the arrangement to facilitate data transfers.
In 2013, whistleblower Edward Snowden leaked details about a surveillance scheme operated by the NSA called Prism. It was alleged the agency had gained access to data about Europeans and other foreign citizens stored by the US tech giants. Privacy campaigner Max Schrems asked the Irish Data Protection Commission to audit what material Facebook might be passing on. However, the watchdog declined saying the transfers were covered by Safe Harbour. When Schrems contested the decision, the matter was referred to the European Court of Justice. The case reflected a clash between two cultures: in the EU, data privacy is treated as a fundamental right; in the US, other concerns are sometimes given priority.
Personal data should no longer be transferred to US bodies solely on the basis they are Safe Harbour-certified.
Instead to authorise the "export" of the data, the two bodies involved must draw up and sign what's referred to as "model contract clauses", which set out the US organisation's privacy obligations. "It will involve lots of contracts between lots of parties and it's going to be a bit of a nightmare administratively," commented Nicola Fulford, head of data protection at the UK law firm Kemp Little.
"The model clauses themselves are standard form - what you need to put into them are details of the data involved and the security steps being taken."It's not that we're going to be negotiating them individually, as the legal terms are mostly fixed, but it does mean a lot more paperwork and they have legal implications."
All of this will drive up costs and potentially cause delays.

Comments

Facebook data transfers threatened by Safe Harbour ruling

BBC

A pact that helped the tech giants and others send personal data from the EU to the US has been ruled invalid. The European Court of Justice said that the Safe Harbour agreement did not eliminate the need for local privacy watchdogs to check US firms were taking adequate data protection measures. It also added that the ruling meant Irelands regulator now needed to decide whether Facebooks EU-to-US transfers should be suspended, reports BBC. The pact has existed for 15 years. And Facebook has denied any wrongdoing. This case is not about Facebook, said a spokeswoman. What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows. We will of course respond fully to any enquiries by our regulator the Irish Data Protection Commission as they look at how personal data is being protected in the US. The outcome... will have significant implications for all Irish companies who transfer data across the Atlantic. The ruling was the result of a legal challenge by an Austrian privacy campaigner concerned that the social network might be sharing Europeans personal data with US cyberspies. I very much welcome the judgement of the court, which will hopefully be a milestone when it comes to online privacy, said Max Schrems on learning of the judgement. It clarifies that mass surveillance violates our fundamental rights. But others warned it could have far-reaching consequences. Thousands of US businesses rely on the Safe Harbour as a means of moving information to the US from Europe, said Richard Cumbley from the law firm Linklaters. Without Safe Harbour, they will be scrambling to put replacement measures in place. The European Commission is expected to give a press conference later in the day to explain how it plans to react to the ruling. The term refers to an agreement struck by the EU and US, that came into effect in 2000. It was designed to provide a streamlined and cost-effective way for US firms to get data from Europe without breaking its rules. The EU forbids personal data from being transferred to and processed in parts of the world that do not provide adequate privacy protections. So, to make it easier for US firms - including the tech giants - to function, Safe Harbour was introduced to let them self-certify that they are carrying out the required steps. More than 5,000 US companies make use of the arrangement to facilitate data transfers. In 2013, whistleblower Edward Snowden leaked details about a surveillance scheme operated by the NSA called Prism. It was alleged the agency had gained access to data about Europeans and other foreign citizens stored by the US tech giants. Privacy campaigner Max Schrems asked the Irish Data Protection Commission to audit what material Facebook might be passing on. However, the watchdog declined saying the transfers were covered by Safe Harbour. When Schrems contested the decision, the matter was referred to the European Court of Justice. The case reflected a clash between two cultures: in the EU, data privacy is treated as a fundamental right; in the US, other concerns are sometimes given priority. Personal data should no longer be transferred to US bodies solely on the basis they are Safe Harbour-certified. Instead to authorise the export of the data, the two bodies involved must draw up and sign whats referred to as model contract clauses, which set out the US organisations privacy obligations. It will involve lots of contracts between lots of parties and its going to be a bit of a nightmare administratively, commented Nicola Fulford, head of data protection at the UK law firm Kemp Little. The model clauses themselves are standard form - what you need to put into them are details of the data involved and the security steps being taken.Its not that were going to be negotiating them individually, as the legal terms are mostly fixed, but it does mean a lot more paperwork and they have legal implications. All of this will drive up costs and potentially cause delays.