Scuttling of Safe Harbor Leaves Companies in Holding Pattern
NEWS ANALYSIS: Can consumer data legally be transferred from Europe to the U.S.? A ruling by EU's top court puts multinational companies in legal jeopardy.In June 2013, Austrian resident Max Schrems asked Ireland's data-protection commissioner to prevent Facebook from transferring his data to the United States. Because all European Facebook users must agree to have their data transferred overseas for processing, they lose the protection of Europe's Data Protection Directive, and Schrems worried that his personal data could not be protected under U.S. law. While a legal framework known as the Safe Harbor provision requires that U.S. companies agree to protect European citizens' data, documents leaked by former U.S. National Security Agency contractor Edward Snowden highlighted that the companies also provided data to counter-terrorism agencies through a variety of intelligence programs. Schrems' case was initially denied. In a ruling released on on Oct. 6 that has shaken multinational corporations, however, the European Union's highest legal authority ruled that Safe Harbor is invalid and returned power to each European country's data-protection commissioner to review cases. The ruling puts U.S. companies in legal jeopardy. No longer can they be assured that their data-collection practices will not be challenged by European citizens and the legality of transferring data from the EU s a legal gray area.
"This causes all sorts of headaches for any multi-national company that needs to operate in both countries," Omer Tene, vice president of research for the International Association of Privacy Professionals, told eWEEK. While Facebook is the company against which Schrems filed his complaint, any corporation that transfers data across the Internet is in equal jeopardy, Tene said. "It could have been anyone else, not just Facebook. He could have filed against any company that had operations in both countries."