Categories: Security

Top EU Court Invalidates ‘Safe Harbour’ Data-Sharing Agreement

The top court of the European Union on Tuesday has suspended an agreement that has allowed data-sharing between the EU and the US for the past 15 years, following months of increased tensions over spying and the protection of personal data.

The ruling by the Court of Justice of the European Union (CJEU) means that the more than 4,000 companies who depend upon the agreement, including major US companies such as Google, Facebook and Amazon, will need to rework their data-sharing practices in order to maintain compliance with the law.

Data-protection decision

The ruling was the court’s final decision in a data-protection case brought by 27-year-old Austrian law student Max Schrems against the Irish data protection commissioner.

That case, in turn, was spurred by Schrems’ concerns over the collection of his personal data by Facebook, whose European headquarters is in Ireland, and the possibility that the data was being handed over to US intelligence services.

However, the so-called “Safe Harbour” agreement has been in question since 2013, when former NSA contractor Edward Snowden published documents revealing broad surveillance programmes carried out by the US government, including the collection of data from US Internet companies.

Following those leaks, the EU has been in negotiations with the US for a new Safe Harbour agreement that would place limits on government authorities’ access to transferred data.

An agreement on a new deal is thought to be close, but the invalidation of the current agreement, in place since 2000, is likely to create difficulties for many trans-Atlantic companies in the short term.

‘Invalid’ law

The court declared that the previous Safe Harbour deal was “invalid” as it takes data on European citizens outside the protection of European authorities.

The deal was originally intended to facilitate data-transfers to the US, a country whose data-protection regime is less stringent than that of the EU.

In September, the advocate-general of the European Court of Justice said in a legal opinion that Safe Harbour should be invalidated in light of “mass and indiscriminate surveillance” by the US government, in reference to the data-collection practices revealed by Snowden.

Last week the US Mission to the EU in Brussels disagreed, saying the opinion rested upon “numerous inaccurate assertions about the intelligence practices of the US”.


The Washington, DC-based Computer & Communications Industry Association (CCIA) on Tuesday urged the European Commission to issue guidance for the companies that depend upon Safe Harbour in order to ease the “uncertainty” caused by the court’s ruling.

“We expect that a suspension of Safe Harbor will negatively impact Europe’s economy, hurt small and medium-sized enterprises, and the consumers who use their services, the most,” said CCIA Europe director Christian Borggreen.

Industry observers said the invalidation of Safe Harbour could incur significant costs for trans-Atlantic companies as they rework their data-handling infrastructure, with costs potentially including a massive expansion of Europe-based data centre capacity.

The CJEU’s ruling comes at a time when companies are finding it increasingly difficult to ensure the security of individuals’ personal data, even within national borders, with massive data breaches becoming increasingly commonplace and data-protection complaints growing rapidly.

However privacy campaigners have welcomed the move.

“In the face of the Snowden revelations, it is clear that Safe Harbor is not worth the paper its written on,” said Jim Killock, executive director of the Open Rights Group. “We need a new agreement that will protect EU citizens from mass surveillance by the NSA.”

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

View Comments

  • The real answer of course is for the US government to start respecting the privacy of their citizens and to stop ignoring the ideals of their founding fathers.

    If anyone was in any doubt, this ruling totally vindicates the action that Edward Snowden took revealing the actions and criminal behaviour of the US towards its own citizens and others with its mass surveillance . If anyone deserves a Noble Peace Price he does!

    Should add surveillance powers are required, but they have to be targeted and for a specific reason and overseen by the judiciary, like any search warrant.

Recent Posts

Google Must Face Trial In Ad Tech Monopoly Case

Google loses bid for summary judgement as judge says 'too many facts in dispute' as…

5 hours ago

Silicon In Focus Podcast: Feeding the Machine

Learn how your business can meet the challenges associated with managing data across multiple platforms…

5 hours ago

Apple, Meta Likely To Face EU Antitrust Charges

Apple, Facebook parent Meta reportedly likely to face EU antitrust charges before August under new…

5 hours ago

Adobe Shares Jump On AI Success

Adobe shares post biggest gains in more than four years after it reports user take-up…

6 hours ago

Winklevoss’ Gemini To Pay $50m In Crypto Fraud Settlement

Winklevoss twins' Gemini Trust to pay $50m to settle cypto fraud claims over failed Gemini…

6 hours ago

Meta Delays EU AI Launch After Privacy Complaints

Meta delays Europe launch of AI in Europe after user, privacy group complaints over plans…

7 hours ago