Hurrah! Individual data privacy wins battle from U.S. corporate money, economic power and credit to Snowden’s revelation of NSA surveillance. The EU-US agreement is thrown out by the European Court of Justice in Luxembourg. Initial response by Max Schrems to the CJEU decision today:
- “I very much welcome the judgement of the Court, which will hopefully be a milestone when it comes to online privacy. This judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible.
The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it.
This decision is a major blow for US global surveillance that heavily relies on private partners. The judgement makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights.
At the same time this case law will be a milestone for constitutional challenges against similar surveillance conducted by EU member states.
Does your company rely on Safe Harbor to transfer personal data from Europe to the US? If so, it’s time to think about alternatives to Safe Harbor – and fast.
The European Union’s Data Protection Directive (1998) prohibits the transfer of personal information outside of the European Economic Area unless the receiving country ensures an adequate level of privacy protection. Soon after the Directive was passed, the European Commission determined that the US doesn’t offer adequate levels of protection. The EU and the US negotiated the Safe Harbor agreement in 2000 to allow US companies to self-certify that they provide protections that are equivalent to the requirements of the Data Protection Directive.
Currently, over 4,000 US companies rely on the EU-US Safe Harbor program to make their transfer of personal data from the EU to the US legal under European privacy laws. But in light of the opinion issued today by ECJ Advocate General Yves Bot in the Schrem case, there’s a very high risk that the Safe Harbor program will be invalidated by the European Court of Justice, which is the EU’s highest court. The AG found that the Commission’s decision (made 15 years ago) that the US-EU Safe Harbor program offers an adequate level of protection to personal data of EU residents was invalid in light of what is now known (largely through Edward Snowden’s disclosures) about the transfer of personal information from companies such as Facebook Ireland to the NSA under the PRISM intelligence program.
The ECJ will issue its ruling on the Maximillian Schrems v Data Protection Commissioner case before the end of 2015, and possibly sooner. The ECJ does not have to adopt the Advocate General’s opinion, but it usually does (with the Google Spain case being a notable exception). All of this is against the backdrop of negotiations between the European Commission and the US government for reforms to the Safe Harbor program and its enforcement by the US.
There have been plenty of (potentially reasonable) complaints out of the EU that the safe harbor process doesn’t actually do much to protect Europeans’ data. That may be true, but the flipside of it isn’t great either. Without the safe harbor framework, it’s possible that it would be much more difficult for American internet companies to operate in Europe — or for Europeans to use American internet companies. Some in Europe may think that’s a good idea, until they suddenly can’t use large parts of the internet.
Either way, the whole safe harbor system has come under attack on a variety of fronts, and it looks close to breaking… all because of the NSA. Max Schrems, who made news back in 2011 by asking Facebook for a copy of all the data it had on him, argued that the NSA’s PRISM surveillance program violated EU data protection rules. The European Court of Justice’s Advocate General, Yves Bot, has now sided with Schrems and basically said that the NSA surveillance has made the safe harbor process invalid.
