Safe Harbour must be suspended immediately, says chair of European Parliament Civil Liberties Committee

'The Commission must immediately put forward a new complete and strong framework for transfers of personal data to the US' says Claude Moraes

Safe Harbour, the agreement by which personal data can be transferred to the US for processing, must be suspended with immediate effect, following today's ruling by the European Court of Justice, which declared the pact invalid, the Chair of the European Parliament Civil Liberties Committee, Claude Moraes, has said.

"The Commission must immediately put forward a new complete and strong framework for transfers of personal data to the US which complies with requirements of EU law as enshrined in the Charter of Fundamental Rights and EU data protection rules and provide our citizens with solid, enforceable data protection rights and effective independent supervision," said Moraes, as reported in European Parliament News.

The European Parliament and the European Commission (EC) have been at loggerheads over Safe Harbour ever since Edward Snowden revealed that personal data of EU citizens was being handed over to the NSA.

Last year, the European Parliament called upon the EC to "present measures providing for the immediate suspension of Commission Decision 2000/520/EC, which declared the adequacy of the Safe Harbour privacy principles" and to "put forward a proposal for a new framework for transfers of personal data from the EU to the US".

Under pressure from the US, the EC has been reluctant to abandon Safe Harbour fearing it might damage international commerce. The EC and US have been in discussions over how to modify Safe Harbour to suit both sides, but Moraes says there has been little evidence of progress.

"The Commission has been in negotiations with the US for over a year on improving the framework but we have still received no update on these discussions," he said.

Moraes' statement is in contrast to the opinion of Mark Thompson, privacy practice leader at KPMG, who told Computing he believes that "business as usual" will prevail for a while.

"In the short term we expect to see the [US] Federal Trade Commission (FTC) to continue to be the enforcer of Safe Harbour. The FTC has taken additional action against various companies in the last 30 days requiring them to change their privacy practices to bring them into line with Safe Harbour requirements. In addition, the US Department of Commerce will continue to negotiate proposed revisions to Safe Harbour to address the EU's concerns over the broader transfer of personal information of EU citizens to the USA," Thompson said.

David Evans, director of policy at BCS, The Chartered Institute for IT, said that tech companies have themselves to blame, at least in part, for the situation in which they find themselves.

"We've failed to design our personal data ecosystem around the people who have the biggest stake in that data; the subject. Lawmakers and corporations have been struggling in a tug-of-war for control over this issue, but what's needed is a revolution in how we deal with personal data," Evans said, adding that they will find it hard to adapt to the changes.

"At this point, it will not be clear how many organisations moving personal data across US/EU borders will be able to immediately comply with this ruling, as infrastructure may be fundamentally designed to ignore these boundaries. This could cause a wide array of cloud service providers to have to re-engineer their core systems in a fundamental way, or at the very least to invest heavily in EU-based data centres," Evans said.