Top EU Court Invalidates ‘Safe Harbour’ Data-Sharing Agreement

data centre

Safe Harbour, introduced in 2000, allows companies to transfer data on EU citizens to the US

The top court of the European Union on Tuesday has suspended an agreement that has allowed data-sharing between the EU and the US for the past 15 years, following months of increased tensions over spying and the protection of personal data.

The ruling by the Court of Justice of the European Union (CJEU) means that the more than 4,000 companies who depend upon the agreement, including major US companies such as Google, Facebook and Amazon, will need to rework their data-sharing practices in order to maintain compliance with the law.

Data-protection decision

data encryptionThe ruling was the court’s final decision in a data-protection case brought by 27-year-old Austrian law student Max Schrems against the Irish data protection commissioner.

That case, in turn, was spurred by Schrems’ concerns over the collection of his personal data by Facebook, whose European headquarters is in Ireland, and the possibility that the data was being handed over to US intelligence services.

However, the so-called “Safe Harbour” agreement has been in question since 2013, when former NSA contractor Edward Snowden published documents revealing broad surveillance programmes carried out by the US government, including the collection of data from US Internet companies.

Following those leaks, the EU has been in negotiations with the US for a new Safe Harbour agreement that would place limits on government authorities’ access to transferred data.

An agreement on a new deal is thought to be close, but the invalidation of the current agreement, in place since 2000, is likely to create difficulties for many trans-Atlantic companies in the short term.

‘Invalid’ law

The court declared that the previous Safe Harbour deal was “invalid” as it takes data on European citizens outside the protection of European authorities.

The deal was originally intended to facilitate data-transfers to the US, a country whose data-protection regime is less stringent than that of the EU.

In September, the advocate-general of the European Court of Justice said in a legal opinion that Safe Harbour should be invalidated in light of “mass and indiscriminate surveillance” by the US government, in reference to the data-collection practices revealed by Snowden.

Last week the US Mission to the EU in Brussels disagreed, saying the opinion rested upon “numerous inaccurate assertions about the intelligence practices of the US”.


The Washington, DC-based Computer & Communications Industry Association (CCIA) on Tuesday urged the European Commission to issue guidance for the companies that depend upon Safe Harbour in order to ease the “uncertainty” caused by the court’s ruling.

“We expect that a suspension of Safe Harbor will negatively impact Europe’s economy, hurt small and medium-sized enterprises, and the consumers who use their services, the most,” said CCIA Europe director Christian Borggreen.

Industry observers said the invalidation of Safe Harbour could incur significant costs for trans-Atlantic companies as they rework their data-handling infrastructure, with costs potentially including a massive expansion of Europe-based data centre capacity.

The CJEU’s ruling comes at a time when companies are finding it increasingly difficult to ensure the security of individuals’ personal data, even within national borders, with massive data breaches becoming increasingly commonplace and data-protection complaints growing rapidly.

However privacy campaigners have welcomed the move.

“In the face of the Snowden revelations, it is clear that Safe Harbor is not worth the paper its written on,” said Jim Killock, executive director of the Open Rights Group. “We need a new agreement that will protect EU citizens from mass surveillance by the NSA.”

Are you a security pro? Try our quiz!