The Court of Justice of the European Union (CJEU), the EU’s highest court, on Tuesday invalidated the “Safe Harbor” agreement, which since 2000 has allowed companies to store and transfer data between the US and EU.
A pillar of the agreement required the US to ensure equivalent protections to those guaranteed by the EU, but the CJEU noted that Edward Snowden’s revelations about the US National Security Agency show that “the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities.”
The decision’s impact will be felt across numerous global companies – any business that relies on the existing cloud and server-based data that flows between the continents. The list of affected companies ranges from global retailers and marketing technology firms to payroll processing software providers.
The response from marketers and Internet companies was swift and dismayed.
“The weakening of the Safe Harbor agreement limits European consumers’ access to valuable digital services and impedes trade and innovation,” the IAB said in a statement.
Other marketing trade groups also stressed the impact on the quality of service US companies can provide EU citizens. “Today’s decision puts at risk a critical avenue for … marketers and businesses to effectively provide their customers with information that allows them to access products and services,” said Christopher Oswald, VP of advocacy for the Direct Marketing Association, in a statement.
Even the official diplomatic response has been icy. US Commerce Secretary Penny Pritzker said in a statement she was “deeply disappointed” by the decision. Pritzker went on to claim the CJEU “does not credit the benefits to privacy and growth that have been afforded by this framework over the last 15 years.”
Though the responsibility is placed squarely on the US government, the most at-risk groups are the businesses that traffic in digital data.
“We urgently call on the European Commission and the US government to conclude their long-running negotiations to provide a new Safe Harbor agreement as soon as possible,” said Peter Olson, president of DIGITALEUROPE, an industry trade association that represents Apple, Google, Microsoft and others.
According to Gary Kibel, a partner at Davis & Gilbert LLP who specializes in advertising law and data security, getting around EU data restrictions is costly and punitive. A major, global retailer, for instance, could strike deals with individual data protection agencies within the EU getting approval of their internal practices, but “it’s a very expensive process that few have done.” Companies that have used this method, known as binding corporate rules, include American Express, Citigroup and Shell Oil.
Another option is to get individual user consent, which is deeply unappetizing for American publishers due to “the immense complexity of data relationships,” said Trevor Hughes, president of the International Association of Privacy Professionals. An American digital media company, for example, could alert its readers and get approval, but it would also need to have that explicit consent in place for each vendor that puts a tag on its page or extracts data on its users.
Experts said these high hurdles are nearly impossible to overcome for the medium-sized businesses that rely on Safe Harbor and external tech vendors to traffic data.
Safe Harbor wasn’t the only framework for transferring data between the EU and US, but Kibel said next-best alternatives are now in a regulatory gray zone. These other methods, such as a model contract – a business-to-business agreement on how data will be stored and transferred – are also accessible to US surveillance.
The CJEU’s decision cannot be appealed.