Safe Harbour ruled INVALID: Facebook 'n' pals' data slurp at risk

Time to get off the jet ski and get the lawyers on the blower


In a landmark ruling that will have far-reaching repercussions, Europe’s highest court has ruled that data sharing between the EU and US under the Safe Harbour framework is invalid.

The decision in the Max Schrems case on Tuesday morning has been anticipated for months, but now legal eagles will have to work out how to manage the situation.

Safe Harbour is a fig-leaf agreement set up 16 years ago to create a way for US businesses to transfer EU citizens’ personal data to the US even though American data protection laws are not up to the European standard. Following the revelations by rogue sysadmin Edward Snowden that US businesses were being compelled to hand over personal data under the Prism programme, Austrian law student Schrems complained to the Irish data protection commissioner - Facebook’s EU operations are head-quartered in Ireland – that his privacy rights were being violated.

The Irish data protection authority (DPA) refused to act on the grounds that the social network is signed up to Safe Harbour/Harbor - a voluntary scheme whereby companies promise to protect EU personal data. Undeterred, Schrems took his case to the Irish High Court which referred it to the European Court of Justice (ECJ).

In today’s ruling, the ECJ says that national DPAs cannot use Safe Harbour as a reason for not investigating suspected mishandling of data.

The crux of the matter is that although companies may respect the Safe Harbour guidelines, “United States public authorities are not themselves subject to it”.

“Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons,” said the ECJ in a press statement.

In summary the court said that “the Irish supervisory authority is required to examine Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether transfer of the data of Facebook’s European subscribers to the US should be suspended on the grounds that that country does not afford an adequate level of protection of personal data.”

Technically that means that this particular ball is back in the Irish DPA’s court. But in reality, it means that the almost 5,000 companies relying on Safe Harbour for transferring EU data to US servers no longer have that safety net.

US businesses and authorities alike will be furious with the decision, lawyers will be rubbing their hands with glee and the European Commission will be shaking its head and wondering where it all went wrong. More to follow. ®

Similar topics


Other stories you might like

  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • FTC urged to probe Apple, Google for enabling ‘intense system of surveillance’
    Ad tracking poses a privacy and security risk in post-Roe America, lawmakers warn

    Democrat lawmakers want the FTC to investigate Apple and Google's online ad trackers, which they say amount to unfair and deceptive business practices and pose a privacy and security risk to people using the tech giants' mobile devices.

    US Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) and House Representative Sara Jacobs (D-CA) requested on Friday that the watchdog launch a probe into Apple and Google, hours before the US Supreme Court overturned Roe v. Wade, clearing the way for individual states to ban access to abortions. 

    In the days leading up to the court's action, some of these same lawmakers had also introduced data privacy bills, including a proposal that would make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Google updates Chrome to squash actively exploited WebRTC Zero Day
    How sad – this looks like a fine excuse to avoid video conferences for a while

    Google has issued an unexpected update to its Chrome browser to address a zero-day WebRTC flaw that is actively being exploited.

    The culprit is CVE-2022-2294, and is a problem in WebRTC – the code that imbues browsers with real-time comms capabilities.

    Details of the flaw, number 1341043, are not currently detailed in the Chromium project bug log, and details of the CVE have not been published at the time of writing. But Google's notification of a new browser version describes it as: "Heap buffer overflow in WebRTC. Reported by Jan Vojtesek from the Avast Threat Intelligence team on 2022-07-01."

    Continue reading

Biting the hand that feeds IT © 1998–2022