Once again Europe challenges US privacy laws. Today, the Court of Justice of the European Union invalidated a EU-US pact that allowed for easy data transfers from the EU into the US. The decision will put more pressure on the US to tighten up its privacy laws. Privacy is a basic human right in the EU while most US states are still struggling to prohibit employers and schools from demanding passwords to employees'/students' social media accounts. In light of this latest Court decision, American companies such as Facebook and Google will have to restructure how they collect, use and store personal data collected from Europe.
Austrian graduate student brought that lawsuit. It alleged
that the Europeans’ personal data is unsafe in the US because the law of that
country inadequately protects it and the US Gov’t likes to spy on people’s
personal information. In particular mass
surveillance under NSA’s PRISM program raised serious concerns. U.S. intelligence services were able to
access people’s personal information in the databases of Facebook and other
tech giants. The lawsuit claims mass surveillance by US authorities violates
Europeans’ fundamental rights.
So, the Court of Justice of the European Union ruled that
the EU-US Safe Harbor agreement on the transfer of personal data is invalid.
The Safe Harbor agreement had been in place since 2000. What was the agreement
for?
EU law requires that companies exporting European citizens'
personal data can only do that to countries providing a similar level of legal
protection for that data. The Safe Harbor was the agreement that certified that
the US provided adequate protection. It was, thus, easy for thousands of US
companies to transfer data from the EU to US. All they had to do was to
self-certify that they comply with the acceptable privacy principles. More than
5,000 US companies took advantage of the convenient Safe Harbor arrangement to
facilitate data transfers.
But now that the Safe Harbor is invalid, Europeans’ personal
data can no longer be transferred to US businesses solely on the basis of the
Safe Harbor certification. Instead, to authorize data transfer, the parties
have to rely on other methods such as the "model contract clauses",
which set out the US business’s privacy practices and obligations. That would,
of course, be inconvenient and will create lots more administrative work for
the US companies.
The decision will put more pressure on the US to tighten up
its privacy laws. The US and EU have been negotiating to update the Safe Harbor
agreement for almost two years already but it’s still unclear whether the
parties are close to concluding the deal.