Earlier today, the European Court of Justice announced that it was invalidating the US/EU Safe Harbour agreement that has allowed personal data back and forth between the two entities for the past decade. Facebook is the formal defendant in the case, but it is really a precedent-setting ruling that is demonstrates the EU’s belief of data protection from government intelligence agency intervention once it enters the US.
The ruling manifests itself in the declaration of need for individual EU member nations to to decide whether specific controls put in place adequately protect the privacy of the data being transferred. (For those in the US, this is akin to a federal vs. state’s rights discussion).
So what happens next? There are a few lines of thinking, but they all end up in a very fragmented approach to what had been a straightforward (albeit a potentially flawed) process.
An emerging approach seems to be to simply add the EU-approved contract language (aka Model Clauses) to agreements that exist between companies that have data moving between the regions, but this is not really scalable for large those with large client bases.
Another approach is to move all EU data back into the EU and leave it there. Some are discussing moving all personal data to the EU since protection rules do not exist for US personal data in a similar manner.
Will Facebook (and others) close up shop in the EU this afternoon as a result? Likely not, but the outcomes of this ruling will cause a lot of work for attorneys and privacy staff in getting the right agreements in place – and may result in a shift of data out of the US for non-US users, which may increases costs and flexibility of the services that people have come to rely on for their daily activities, many of which are based in the US.