Facebook in Trouble: EU Court Rules Data Protection Deal “Invalid”

In declaring the data transfer deal invalid, the Court said the Irish data protection authority had the power to investigate Schrems’ complaint and subsequently, decide whether to suspend Facebook’s data transfers to the United States.

“Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the USA from Europe, aside from Safe Harbor”.

Europe’s top court ruled Tuesday that data stored on USA servers isn’t safe because of government spying, a giant blow to companies such as Facebook that might need to change the way they handle private data from Europe. “In the light of the ruling, we will continue this work towards a renewed and safe framework”, European Commission Vice President Frans Timmermans said.

He said preliminary negotiations on a new legal instrument were under way to seek an interim solution and data protection authorities from European Union member states would meet next week to discuss the implications of the ruling.

His complaint was first dismissed by the authorities in Ireland, where Facebook has its European base, because the data was covered by the transatlantic agreement.

There are over 5000 U.S. companies certified under Safe Harbor, and it’s anxious that without the means to transfer data to the United States from Europe, trans-Atlantic trade will suffer. A bill is now winding its way through the U.S. Congress to give Europeans the right to legal redress.

“We can’t assume that anything is now safe”, Brian Hengesbaugh, a privacy lawyer with Baker & McKenzie in Chicago who helped to negotiate the original safe harbor agreement, told the Times. In the wake of the revelations that stemmed from documents leaked by Edward Snowden about the US National Security Agency’s surveillance programmes, Max Schrems argued that United States law doesn’t provide sufficient data protection for European web-users.

The statement noted that the ECJ’s advocate general “himself said that Facebook has done nothing wrong”.

“There are companies with individual customers and users around the world, but there are also companies with global workforces processing human resources information in the USA, or US vendors providing data services to European businesses”, said Felix Wu, professor at Cardozo Law School.

The court’s ruling made it clear the greatest concern is the USA government having easy access to online data about the EU’s 500 million citizens. These companies will need to review their current contractual arrangements in order to determine the basis on which the transfer of personal data to the USA is being legitimised. Under the EU’s Data Protection Directive, data could be transferred between European Union and a third country only if it ensures an “adequate level” of data protection, and allowed U.S. companies to send data collected in European Union to the US.