News and Events



EU Court stops US businesses holding on to European data

View profile for Paul Fox

EU Court stops US businesses holding on to European data


In a move which has ‘sent shockwaves’ around the internet industry, the EU Court of Justice has ruled a 2000 ‘safe harbour’ agreement between the EU and the US invalid.

This ‘safe harbour’ framework allowed multinational companies in the US to hold onto data – such as that gathered by social media site Facebook.

The ruling came about after one Maximilian Schrems – Facebook devotee and fan of whistle-blower extraordinaire Edward Snowden – complained that he felt inadequately protected from surveillance by US authorities (at this point one is moved to wonder what was going on in his Facebook messages, but of course it is the principle of the thing that matters most).  His initial complaint was thrown out by the data protection commissioner in Ireland (where, bafflingly, Schrems’ data was being held). The commissioner cited the ‘safe harbour’ agreement, and said that it offered an adequate degree of protection.

The EU Court of Justice, however, disagreed. It held that this previous power (made, after all, at a time when few could have predicted the extraordinary growth in personal data shared online) and the commission’s decision ‘cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the data protection directive’.

In short, the Irish data protection commissioner must now examine Schrems’ complaint with ‘all due diligence’.

The response has been strong, to say the least: the Gazette quotes a media lawyer over at Olswang as saying there would be ‘appalling fallout’ as online businesses could no longer rely on safe harbour, but would have to deal with the data protection legislation in individual jurisdictions. 

It may well be that the safe harbour agreement will be renegotiated – though Mahisha Rupan of tech law firm Kemp Little wonders whether there may be other ways of making sure the personal data of EU citizens is adequately protected, such as “implementing binding corporate rules or executing model clauses’ contracts between the data exporter and data importer.’

Whatever the outcome, it’s increasingly clear that the use, storage and transfer of personal data – including by law firms – remains a legally sensitive matter. At Legastat, we can advise clients on how to manage their Data Protection obligations whilst ensuring they make the best possible use of legal tech.