In a landmark ruling that will have far-reaching repercussions, Europe’s highest court has ruled that data sharing between the EU and US under the Safe Harbour framework is invalid.
The decision in the Max Schrems case on Tuesday morning has been anticipated for months, but now legal eagles will have to work out how to manage the situation.
Safe Harbour is a fig-leaf agreement set up 16 years ago to create a way for US businesses to transfer EU citizens’ personal data to the US even though American data protection laws are not up to the European standard. Following the revelations by rogue sysadmin Edward Snowden that US businesses were being compelled to hand over personal data under the Prism programme, Austrian law student Schrems complained to the Irish data protection commissioner - Facebook’s EU operations are head-quartered in Ireland – that his privacy rights were being violated.
The Irish data protection authority (DPA) refused to act on the grounds that the social network is signed up to Safe Harbour/Harbor - a voluntary scheme whereby companies promise to protect EU personal data. Undeterred, Schrems took his case to the Irish High Court which referred it to the European Court of Justice (ECJ).
In today’s ruling, the ECJ says that national DPAs cannot use Safe Harbour as a reason for not investigating suspected mishandling of data.
The crux of the matter is that although companies may respect the Safe Harbour guidelines, “United States public authorities are not themselves subject to it”.
“Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons,” said the ECJ in a press statement.
In summary the court said that “the Irish supervisory authority is required to examine Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether transfer of the data of Facebook’s European subscribers to the US should be suspended on the grounds that that country does not afford an adequate level of protection of personal data.”
Technically that means that this particular ball is back in the Irish DPA’s court. But in reality, it means that the almost 5,000 companies relying on Safe Harbour for transferring EU data to US servers no longer have that safety net.
US businesses and authorities alike will be furious with the decision, lawyers will be rubbing their hands with glee and the European Commission will be shaking its head and wondering where it all went wrong. More to follow. ®