European Court of Justice calls for end to Safe Harbour
Decision reached over concerns EU citizens’ data was being passed on by US firms
Max Schrems: The European Court of Justice case arose from a complaint by the Austrian lawyer and privacy campaigner to the Irish Data Protection Commissioner. Photographer: Max Schrems/Europe-V-Facebook.or/PA Wire
The advocate general of the European Court of Justice has recommended ending a practice that allows US companies to fast-track the transfer of EU citizens’ data abroad, over concerns that it is being accessed by US intelligence services in contradiction of European law and citizens’ fundamental rights.
In a non-binding report ahead of a final ruling, expected before the end of the year, the Luxembourg court’s advocate general Yves Bot recommended the court throw out the so-called Safe Harbour data transfer provision for US firms operating in the EU. He also criticised the European Commission for not ending the practice earlier despite its own concerns, and revelations of US intelligence interception of the data by NSA whistleblower Edward Snowden.
“Although it was aware of shortcomings,” the advocate general wrote in a 44-page opinion, “the Commission neither suspended nor adapted that decision, thus entailing the continuation of the breach of the fundamental rights of the persons whose personal data was and continues to be transferred under the safe harbour scheme.”
This contradicted not just the EU’s own data protection directive, he wrote, but also articles 7 and 8 of the EU Charter of Fundamental Rights. Respectively, these guarantee “the right to respect for his or her private and family life, home and communications” and “the right to the protection of personal data”.
Should a final ECJ ruling follow the argument that US companies do not currently offer “adequate protection” for EU citizens’ data, it would end the automatic data transfer regime with far-reaching consequences for EU-US relations and talks on a transatlantic free-trade agreement.
The European Court of Justice case arose from a complaint by Austrian privacy campaigner Max Schrems to the Irish Data Protection Commissioner, on foot of claims by Edward Snowden that Facebook and other US multinationals were, directly or indirectly, allowing US intelligence agencies unrestricted access to EU citizens’ data.
The commisioner declined to investigate Mr Schrems’s concerns over his Facebook data in the US, saying it had no legal means to do so under Safe Harbour provisions.
At a judicial review taken by Mr Schrems against the DPC decision, the High Court asked the European Court of Justice for clarification on how, in the post-Snowden era, EU citizens’ fundamental rights to privacy and data protection should be reconciled with the “Safe Harbour” provision.
Mr Schrems said yesterday he was optimistic that his long-running campaign against Facebook “could pay off”.
“Now we just have to hope that the judges of the Court of Justice will follow the advocate general’s opinion in principle,” he said.
His Irish legal team welcomed the preliminary opinion, describing it as a “hugely significant case that deals with the fundamental rights of millions of EU citizens”.
“By not suspending or adapting the Safe Harbour decision, the Commission allowed the continuation of the breach of fundamental rights of persons whose personal data continued to be transferred under the Safe Harbour scheme,” said Gerard Rudden, partner at Ahern Rudden.
“This breach of fundamental rights is continuing today.”
Mr Bot said it “must be possible for transfers of personal data to the United States to be suspended at the initiative of the national supervisory authorities or following complaints lodged with them”.
Should the final European Court of Justice ruling follow this line of argument it could mean a radical overhaul both in how US multinationals operate from Ireland and how the commisioner regulates them.
In a reaction to the preliminary ruling, Facebook said it operates in compliance with EU data protection laws. The European Commission declined to comment on the case but said it was working “tirelessly”on a replacement for Safe Harbour.
Irish data protection commissioner Helen Dixon said she would not comment on the case ahead of the final ruling “which I understand is to be delivered in the coming months”.