In what is being called a “landmark decision”, the European Court of Justice has ruled the Safe Harbour Framework, the legal agreement between Europe and the United States that governs the transfer of personal and private information, invalid because of US law enforcement requirements. This comes after a challenge from Austrian privacy advocate Max Schrems in 2014 to an Irish Data Protection Commission decision to not investigate Facebook’s transfer of European data to US data centers following revelations by Edward Snowden of US intelligence practices.
The decision by the ECJ makes it clear why they decided as they did, saying
".. the national security, public interest and law enforcement requirements of the United States prevail over the Safe Harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements.
The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference,"
The decision could mean that 5000 businesses believed to be taking advantage of the Safe Harbour Framework will have to revisit their data transfer procedures, and current procedures may run afoul of European data protection laws because of NSA mass surveillance. Facebook, in particular, is at risk due to Schrems’ initial complaint being directed at them.
Some critics to the decision are saying that this may cut Europe off from the online services offered by the United States, leading to businesses who rely on a known legal framework to transfer data to depart Europe. The Computer & Communications Industry Association is urging the EU and US to devise a new Safe Harbour agreement to ensure that businesses are not affected by the decision.
This decision follows in line with previous European rulingss leaning towards personal privacy, such as the so-called "Right to be forgotten" which has been upheld and expanded, as well as supporting Microsoft in it"s fight against the US overreach on data in overseas datacenters.