SAFE HARBOUR IS INVALID, according to judges at the European Court of Justice, and nations can now resist the sharing of data with the US. This could cause problems for busineses, while improving things for the privacy aware.
The ruling in the case, known in legal circles as Maximillian Schrems v Data Protection Commissioner (PDF), means that national regulators can deny and suspend data transfers to the US.
This potentially means overtime for agents at the National Security Agency (NSA), but closer to home it may damage businesses that rely on and deal with data to survive.
Ultimately it is a good thing according to privacy campaigners, which has been brought about by a student who became concerned about Facebook and his data. That student is Maximillian Schrems.
"In short, Schrems wants to prevent US intelligence agencies gaining access to his personal data by making it harder for US-based businesses to collect personal data about EU citizens," explained Robert Lands, partner and head of intellectual property at law firm Howard Kennedy.
The case pulled in a lot of information, much of which relates to Edward Snowden and his NSA PRISM revelations. The reported liberties taken by the US agencies have helped inform the European decision, according to those who have followed the case and the efforts of the whistleblower.
"In the face of the Snowden revelations, it is clear that Safe Harbour is not worth the paper it's written on. We need a new agreement that will protect EU citizens from mass surveillance by the NSA," said Open Rights Group executive director Jim Killock.
"Privacy activist Max Schrems initially brought a case against Facebook in Ireland, arguing that US companies were passing data to the NSA, and therefore violating his privacy.
"The Irish Data Protection Commissioner rejected the case on the grounds that the Safe Harbour agreement made provisions to protect the transfer of data. Schrems appealed the decision and today the European Court of Justice of [ECJ] found that Safe Harbour is invalid."
The other side of the argument has a different view, of course, and warned that any firm that deals with data could suffer as a result, and that it will not be the big boys that feel the change the most, but rather smaller companies.
"The ECJ's decision is not surprising, but it will still have a profound impact on the global tech industry. American companies are going to have to restructure how they manage, store and use data in Europe and this takes a lot of time and money," said Mike Weston, CEO at data science consultancy Profusion.
"The biggest casualties will not be companies like Google and Facebook because they already have significant data centre infrastructure in countries like Ireland, it will be medium-sized, data-heavy tech companies that don't have the resources to react to this decision."
Mark Thompson, privacy practice leader at thinking outfit KPMG, added that companies will now have to turn to the local authortities for guidance on what to share and where.
"Global companies will be looking towards regulators for a sensible solution in the near future. There is a risk that, if rules around data transfers aren't handled pragmatically, this will result in a restriction on the flow of personal information across global organisations which could have a detrimental impact on their business models," he said.
Thompson added that this could have a knock-on impact on international relations, and business in general.
"This could affect global trade as organisations are likely to be required to restructure business functions, outsourcing arrangements and business partnerships, and relocate IT assets to ensure that processing of personal information does not take place inside the US.
"For global organisations this would be a substantial undertaking and the associated costs and practicalities involved could be very significant." µ
The week in Google
The scandal that just keeps giving
Clip to the end....