The landmark judgment of the European Court of Justice invalidating the Safe Harbour agreement with the United States will have a broad impact on business, but don't expect any immediate action.
The Information Commissioner's Office (ICO) in the UK has confirmed that it will give companies time to get new data transfer agreements in place, but it is essential that the effects of the judgment are taken into immediate consideration.
The case, brought by Austrian national Max Schrems against Facebook, concerns the transfer of personal data from Europe to the US, where many cloud servers are located, where they are susceptible to being accessed by the American National Security Agency (NSA) and others.
The Safe Harbour agreement was designed to protect the personal information of citizens when transferred out of the EU. The decision has confirmed that it has not been as effective as it should or could have been in this area. A new agreement, dubbed 'Safe Harbour 2.0' is being prepared, but no date has been given for it to become effective.
In the meantime, organisations that have previously relied on Safe Harbour will have to consider what steps they should take to comply with data protection legislation, which may be more expensive and time-consuming for consumers as well as businesses.
David Smith, the deputy ICO commissioner has confirmed that no immediate action will be taken, but how much time will be seen as reasonable has not been suggested, but it likely to be weeks rather than months.
Facebook, against which Schrems brought the claim, is unlikely to be found at fault given the thousands of other businesses that have relied on the agreement, but it has been made an example of. Schrems has previously brought claims against the social media giant, all of which have failed or been dropped. The case will now be returned to the Irish court where it was initiated for a separate judgment in light of this clarification from the ECJ.
In a landmark ruling on Tuesday the European court of justice struck down the “safe harbour” arrangements with the US amid concerns it gives American intelligence agencies access to European citizens’ data. “The judgement has clarified that it is now for the data protection commissioner to revisit Mr Schrems’s complaint and carry out the necessary investigations,” said Dara Murphy, the Irish data protection minister.