If you don’t want your personal info pored over by the US authorities, close your Facebook account – such is the reassuring advice given by the European Commission to the European Court of Justice.
Judges yesterday grilled the Commish legal service in a case that could topple the 15-year-old EU-US data-sharing agreement known as “Safe Harbour”, a streamlined process developed by the US Department of Commerce and the EU, designed to prevent accidental information disclosure or loss.
Because the US in general does not meet EU standards for data privacy, the Safe Harbour workaround was dreamed up by the Commish in 2000, with the deal creating a voluntary framework whereby companies promise to protect European citizens’ data.
In the current case, a group called Europe v Facebook, led by privacy activist and “Angry AustrianTM” Max Schrems, alleges that Facebook violated European citizens' “fundamental rights” (defined in the European Convention on Human Rights) by transferring their personal data to the US National Security Agency (NSA).
After the Irish data protection commissioner refused to investigate, citing Safe Harbour rules, the case was referred first to the Irish High Court and now the ECJ.
The focus of Tuesday’s questioning was whether national data protection authorities should be able to suspend data transfers if needed. The Commish says no, and national regulators “are in principle not empowered” to suspend data transfers to the US.
However, Schrems was backed in his call for more independence for DPAs (data protection authorities) by national representatives from Austria, Belgium and Poland. Ireland, which is at the heart of the investigation, said it would welcome guidance on the matter.
The court also wanted to know if the European Commission could “ensure” privacy for EU citizens’ data in the US. The Commish said it was talking to the US authorities, but admitted it couldn't fully guarantee data protection.
Schrems told El Reg that he was pleased with the hearing overall: “The judges really trashed the Commission, and really attacked its position. Austria was very outspoken in saying that there was no real Safe Harbour, as was the European Parliament.”
The judges also heard from the UK and Slovenia, as well as the European Data Protection Supervisor’s office. According to the EDPS, the US needs to improve its privacy protection regime.
The EU parliament went further and again called for the Safe Harbour agreement to be suspended.
The Advocate General of the European Court of Justice will give his opinion on 24 June. ®