Facebook is calling on US and EU governments to work together after Europe’s top court struck down the “Safe Harbour” decision used by thousands of companies to legitimise the transfer of personal data between America and Europe on Tuesday.
Issued by the European Commission in 2000, “Safe Harbour” (or “Safe Harbour,” depending on where you’re from) offered a way for companies to easily transfer data between the US and Europe’s myriad different regulatory regimes. But after a legal challenge from an Austrian privacy activist against Facebook following Edward Snowden’s revelations of US government spying, the European Court of Justice has ruled it invalid.
Responding to the verdict, issued Tuesday morning, the Californian company says that “this case is not about Facebook,” and that “the Advocate General himself said that Facebook has done nothing wrong.”
Instead, “what is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows … It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security.”
Max Schrems, who brought the initial case against Facebook, has welcomed the verdict, “which will hopefully be a milestone when it comes to online privacy,” he said in a statement. “This judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible. The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it.”
The end of Safe Harbour doesn’t necessarily mean the end of data transfers between Europe and the US — although national regulators are now empowered to demand an end (or amendment) to transfers if they view them as unlawful.
Other methods for transfer also exist, including gaining the consent of data subjects, and the use of model-clauses pre-approved by the EU. But none of the options are as smooth as Safe Harbour. Facebook says it doesn’t rely on Safe Harbour to legitimise its data transfers, and won’t be immediately affected; the same is likely to be true of many big companies sending data across the Atlantic.
Schrems’ case has now been bounced back to the Irish courts, which had previously argued it did not have the authority to deal with his allegations of privacy violations due to Safe Harbour. If the court rules that Facebook cannot offer adequate privacy protections in the US, it could then demand a halt to the transfer of Europeans’ data — an infrastructural nightmare for the social network.
Here’s the full statement from Facebook:
This case is not about Facebook. The Advocate General himself said that Facebook has done nothing wrong.
What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows.
Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbour.
It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security.