European court rules US online data agreement is invalid
Ruling follows a complaint filed by Austrian law student Max Schrems against Facebook
EU-US trade and diplomatic relations are sailing into uncharted waters after the European Court of Justice (ECJ) ruled invalid the “Safe Harbour” arrangements allowing streamlined EU citizen data transfer to the US.
The court said the 15 year-old provisions, used by around 4,500 US firms operating in Europe, had been undermined by revelations that US intelligence services had access to the transferred data, contradicting EU data standards and EU citizens’ fundamental rights to privacy.
The ruling doesn’t pull the plug on data transfers but, until a new transatlantic agreement is put in place, creates legal uncertainty for all companies using Safe Harbour.
The ECJ verdict also creates problems for Facebook’s international operations, based in Dublin, and puts the spotlight on the Irish Data Protection Commissioner (DPC), which regulates Facebook and other US tech giants based in Ireland.
The ECJ found that Ireland’s DPC was not precluded, as it had claimed, from investigating the original complaint. Austrian privacy campaigner Max Schrems filed a complaint with the DPC against Facebook’s use of his data following claims by Edward Snowden that US intelligence had access to all of Facebook’s data, including that of EU users. The DPC dismissed the complaint as “frivolous and vexatious” and said it had no means of intervening on Safe Harbour, which it said was the business of the European Commission.
Listen to Max Schrems explain the ECJ ruling
Mr Schrems said on Tuesday the ruling was “perfect”.
“This doesn’t mean data flows are illegal overnight,” he said, “but it means national data protection commissioners can take action to stop things.”
He dismissed as “alarmist lobbying” claims that striking down Safe Harbour would break the internet. Instead, he said, it removes a privilege enjoyed by US companies - one not shared by companies from China, Russia or other EU trading partners.
“I think the US now has to decide whether or not they want extra benefits for their companies in Europe, and whether they are ready to give up some of their surveillance,” he said.
The ECJ ruling now returns the case to the High Court, where Mr Schrems took a judicial review against the DPC’s original decision. The High Court will now instruct Ireland’s regulator to investigate fully the Schrems complaint over Facebook and decide whether its data transfers of EU member data should be suspended.
“The comfortable times are over now for the Irish DPC and data commissioners all over Europe,” said Prof Herwig Hofmann, legal counsel for Mr Schrems, “because the court has said they must now really investigate complaints like the one against Facebook.”
In a statement, Facebook said that, while it relied on many legal methods for data transfer, it was anxious to see legal clarity over Safe Harbour.
“It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security,” said a Facebook spokesperson.
European Commission vice-president Frans Timmermans is holding a press conference this afternoon in Strasbourg to react to the ECJ ruling.