ECJ’s Takedown of Safe Harbor Spells Trouble for U.S. Firms (Oct. 7, 2015)
Europe’s top court has struck down a longstanding agreement that enabled U.S. companies to handle the personal data of users in the European Union without being subjected to EU privacy rules—a decision that will significantly affect not only tech giants like Google and Facebook, but payments and financial services companies, as well. The European Court of Justice (ECJ) this week ruled in favor of an Austrian citizen who claimed his personal data was not being sufficiently protected by Facebook in light of revelations about U.S. government surveillance practices. The ruling invalidated the so-called Safe Harbor agreement, a 15-year-old pact that enabled American companies that handle European users’ data—such as Web search histories and social media updates—to bypass Europe’s strict data privacy laws, which tightly govern how such data can be gathered and used. Safe Harbor also set forth one set of guidelines covering the collection and storage of data for users in all 28 EU nations. The ECJ is the equivalent of the U.S. Supreme Court, and thus no appeal is possible.
With the agreement struck down, U.S. companies much comply with the guidelines of each individual EU member state, potentially leading to major complications for search and social media platforms and financial services companies. “Any company that transmits or possesses personal data on EU citizens and that, up to now, relied on the safe harbor provided in the compact can no longer do so,” Eli A. Rosenberg, an associate with Baird Holm LLP and a Pay Gov contributing editor, tells Paybefore. “For example, data processors that store or transmit customer or cardholder data or money transmitters that collect consumer information will probably need to change their business practices, as I believe nearly all of them relied on that safe harbor.”
The situation is further complicated by the fact that the EU currently is in the process of implementing new EU-wide data protection directives, set to take place in 2017, notes Rosenberg. U.S. companies are now in the position of having to ensure they’re in compliance with a patchwork of laws in each EU country, while also preparing for the forthcoming new regulations. “Companies need to seek counsel on what their obligations are now that the Safe Harbor is invalidated and they need to pay attention to the coming regulations that will change the directives currently in place,” he says.