CJEU ruling brings legality of data transfers into the limelight

Europe's Highest Court, the Court of Justice of the European Union (CJEU), has ruled that a data sharing agreement between the US and Europe under the Safe Harbour framework is invalid. The case reference is: Case C-362/14. This landmark ruling could have major repercussions for both start-ups and giants, for example Google and Facebook. These corporations heavily depend on being able to freely transfer user data between the two continents.

The ECJ's decision strikes down the Safe Harbour agreement that allowed well over 4000 companies to transfer data and avoid local data protection laws.

The ruling comes after an assessment that US data protection laws were not adequate enough. EU law makes it clear that companies are permitted to transfer data out of the EU as long as that data is sufficiently protected.

There is no mention in the ruling of any grace period being offered by the Court. This suggest that companies who have established data transferring methods will have to implement new systems as soon as practicable. The Safe Harbour Agreement which has been in existent over 15 years and is used by large corporations like those mentioned above but also Twitter and Amazon. Now that this Agreement is no longer valid and legal – they will now need to find new ways to process and store data.

The ruling comes after privacy advocate Max Schrems brought a case against Facebook in Ireland. He said his privacy had been violated by the NSA's mass-surveillance programs, first revealed by whistle-blower Edward Snowden. Schrems is Austrian, but he brought the case against Facebook in Ireland because the Facebook's European headquarters are in Dublin.

Following the ruling Max Schrems released a statement which included the following: "I very much welcome the judgement of the Court, which will hopefully be a milestone when it comes to online privacy. This judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible.

The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it".

It is expected that the national supervisory authorities will soon comment and offer their opinion on CJEU judgement. The EU Commission and the US are already holding negotiations to agree a new data protection agreement. However, it is too early it is too early to know when these negotiations will be concluded or the impact the new agreement will have on the transfer of data to the US.