Wired spoke with legal and privacy experts about what could happen in the wake of the latest ruling in the Max Schrems case.
What was the Safe Habour agreement?
Safe Harbour was a deal between the US and the EU that allowed for the easy transfer of personal data.
It was established because US data protection laws didn’t match EU standards. EU data protection laws state that companies can only transfer EU citizens’ data outside of member states if the destination country has data protection laws that match those of the Union.
The US doesn’t have blanket data protection laws in place though. It has “sectoral” laws that address data protection in some areas — like the financial industry and children’s data — but it doesn’t have one federal law regulating data collection and storage. The US constitution offers some protections for US citizen data, but has no such defence for foreign citizens.
Until 2000 this meant EU personal data couldn’t be shared with the US. So both parties drew up the Safe Harbour agreement to allow licensed companies to carry data back to the US. There are currently over 4,000 companies registered under the Safe Harbour agreement, including Facebook, Google and Twitter.
In the wake of Edward Snowden’s revelations about the NSA’s mass surveillance operations, this law came under fire — with Austrian law student Max Schrems bringing the case to the European Court of Justice.
Which companies operated under Safe Harbour?
The 4,000 or so businesses that were part of the Safe Harbour agreement include the major tech companies Airbnb, Apple, Google, Facebook, LinkedIn, Twitter and Yahoo. Also big businesses like Adobe, Coca-Cola Enterprises, Ford Motor Company and eBay were signed up. The full list of companies is available to read here.
The Safe Harbour case has been ongoing since Austrian law student Max Schrems demanded his data from Facebook in 2010Joe Klamar/Getty
Why is the ruling important?
The ruling means the US and EU will have to renegotiate a data sharing agreement. For companies to continue operating across the Atlantic, the EU will either have to bend to the US, or the US will have to draft stronger data protection laws.
“It’s a historical judgement. Safe Harbour shouldn’t have been agreed to 15 years ago,” Anna Fielder, Privacy International’s chair of the board.
“There’s a lot of data transfers, not just between the EU and the US but between the EU and lots of other countries. And those countries don’t have special arrangements like Safe Harbour. They have to operate under EU legislation,” Fielder explained.
