‘Bombshell’ data ruling hits Facebook and GoogleFrances Gibb and James Dean
Last updated October 06 2015 2:08PM
1 of 2
Data transfers to the US breach the human rights of EU citizens, court rules
The European Court of Justice has struck down an international agreement that gave US spy chiefs access to the online data of millions of British and European citizens.
The case was brought by Max Schrems, an Austrian privacy campaigner who challenged the Safe Harbour treaty in his fight to expose what information Facebook gave to American intelligence agencies.
The court found that legislation allowing the US authorities access to the content of the electronic communications of EU citizens compromised the fundamental right to respect for private life.
Mr Schrems said he was very pleased with the judgment, which he hoped would be a milestone for online privacy.
“This judgment draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible,” said Mr Schrems, a law graduate who spent a term studying in Silicon Valley.
Mr Schrems, 27, began legal action against Facebook’s data protection policies in 2013 after the allegations made by Edward Snowden in May of that year about the vast scope of online surveillance under the US Prism programme.
He brought the case in Ireland, where Facebook has its worldwide headquarters, as every Facebook user outside the US and Canada has a legal contract with Facebook Ireland.
At first his claims were rejected by the information watchdog in Dublin but Mr Schrems applied for a judicial review at the Irish High Court, which referred his case to the European Court of Justice (ECJ).
Today, in a ruling with far-reaching implications for the exchange and storage of data online, the ECJ struck down the 15-year-old Safe Harbour agreement that has until now allowed 4,500 American technology companies to transmit EU citizens’ data to the US.
“The court declares the Safe Harbour decision invalid,” it said in its judgment.
The court said the US authorities were able to access the personal data transferred from EU member states to the US and process it in a way incompatible with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security.
“Also, the Commission noted that the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.”
The court added that legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as “compromising the essence of the fundamental right to respect for private life”.
“Likewise, the court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.
“Finally, the court finds that the Safe Harbour decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals.
“The Court holds that the Commission did not have competence to restrict the national supervisory authorities’ powers in that way.”
The judgment will be sent to the High Court in Dublin where the judge will use it as the basis for deciding on Mr Schrems’s legal challenge for Facebook to be audited.
Mr Snowden, a former NSA contractor now in exile in Russia, exposed the existence of mass surveillance programmes, such as the NSA’s Prism and GCHQ’s Tempora, which sort through vast quantities of private communications.
“In the face of the Snowden revelations it is clear that safe harbour is not worth the paper it is written on,” said Jim Killock, director of Open Rights Group, a UK campaign organisation.
“We need a new agreement that will protect EU citizens from mass surveillance by the NSA.”
Monika Kuschewsky, a special counsel in data privacy at the international law firm Covington, said the judgment was a bombshell.
“The court has pulled the rug from under the feet of thousands of companies that have been relying on safe harbour. All these companies are now forced to find an alternative mechanism for their data transfers to the US.”
Mahisha Rupan, a data expert at Kemp Little, said however that there could be ways around the ruling for Facebook and others, such as putting in place binding corporate rules on handling data, or executing “model clauses” contracts between the data exporter and data importer.
“Consent of the individual may also be used to justify certain transfers to the US, but consent is tricky as it must be specific, informed and freely given,” Ms Rupan said.