The European Court of Justice invalidated the Safe Harbor agreement that let American companies store the personal data of European citizens outside the EU. The agreement, as it stood, was binding on the activities of companies but imposed no restraints on the behavior of U.S. law enforcers or intelligence agencies.
The Article 29 Working Party (WP) watchdog group has since given the U.S. and the European Commission until January 2016 to negotiate a new agreement that will protect the personal data of European citizens, in a way which is compatible with EU law. The two sides have been notified that if they cannot come up with an agreement by then, the EU data protection authorities will take “necessary and appropriate actions” against U.S. companies that store personal data outside of European jurisdiction.
The ruling was triggered by a case brought by Austrian privacy activist Max Schrems following his unsuccessful attempt to get European privacy regulators to stop Facebook from moving its users’ data to the U.S. Schrems argued that the data would be subject to mass surveillance under the National Security Agency’s PRISM program as revealed by Edward Snowden. In the wake of Snowden’s revelations, the Commission had already begun negotiating with the U.S. to provide sufficient protection, which could form the basis of a new agreement.
According to the WP, U.S. companies still relying on the old Safe Harbor agreement are not acting lawfully and should consider alternative steps available regarding their data transfer options.