Europe’s highest court has ruled that the Safe Harbor framework, designed to simplify data transfer between countries of the European Union and the US, is not serving its purpose.

Safe Harbor was developed by the US authorities and adopted by the EU in 2000 to simplify digital service exchange across the Atlantic.

In its ruling, the European Court of Justice (ECJ) said “national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements.“

The court has invalidated the framework with immediate effect. The decision could have wide-ranging implications for thousands of US businesses, including Facebook and Google, and is likely to leave a mark on the European data center market.

The ECJ ruling is final and cannot be appealed.

EU court gavel
– Thinkstock / Zebor

Snowden’s legacy

Safe Harbor was designed by the US Department of Commerce in consultation with the EU, and adopted by the European Commission 15 years ago in order to help American companies comply with Europe’s strict data protection laws.

The framework outlined the seven Safe Harbor data protection principles and assumed that any organization that signed up to it would comply. It allowed for self-assessment, and effectively placed large foreign businesses out of reach of European privacy watchdogs.

This didn’t satisfy Austrian privacy campaigner Max Schrems, who, following the release of the US intelligence data by Edward Snowden, argued that European citizen data would then be shared with the US authorities. Schrems launched a legal challenge against Facebook in Ireland in 2014, eventually escalating it to ECJ.

In the text of the decision, the ECJ makes direct allusions to mass surveillance by the NSA – legal under the US law - stating that “legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.”

The decision could mean that any US company that wants to transfer data out of the EU will need to negotiate with individual regulators. Many businesses could avoid the issue altogether by choosing to host European citizen data in Europe – something that would serve as a shot in the arm for the regional data center market.

“American companies are going to have to restructure how they manage, store and use data in Europe and this will take a lot of time and money,” warned Mike Weston, CEO of data science consultancy Profusion.

The biggest casualties will not be companies like Google and Facebook because they already have significant data center infrastructure in countries like the Republic of Ireland, it will be medium-sized, data-heavy tech companies that don’t have the resources to react to this decision. Many of these businesses will reconsider how and whether they operate in Europe, which is bad news for everyone.”