The European Court of Justice, the E.U. equivalent of the U.S. Supreme Court, today ruled the Safe Harbor data transfer agreement void, presenting a challenge to tech companies like Amazon or Facebook that use the deal to move personal data from the European Union to the U.S.
With the overarching deal tossed by the court, now its up to regulators in each European Union member nation to review data transfers and the attendant guidelines.
“This is extremely bad news for E.U.-U.S. trade,” technology attorney for Linklaters in London Richard Cumbley told the New York Times. “Thousands of US businesses rely on the Safe Harbor as a means of moving information. Without Safe Harbor, they will be scrambling to put replacement measures in place.”
The case started with Austrian Facebook user Maximillian Schrems, according to court documentation. Schrems became aware that his personal data was being moved from Austria to Facebook servers in Ireland, a country that has been supportive of Safe Harbor. Schrems complained to the Irish Data Protection Commissioner “in light of the revelations made in 2013 by Edward Snowden…”
The Irish authorities rejected the complaint, which prompted an appeal to the High Court of Ireland, then onto the European Court of Justice.
From the court’s ruling: “The court stresses in this regard the right…to the protection of personal data and the task with which the national supervisory authorities are entrusted under the charter. The court states, first of all, that no provision of the directive prevents oversight by the national supervisory authorities of transfers of personal data to third countries which have been the subject of a commission decision. Thus, even if the commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive. Nevertheless, the court points out that it alone has jurisdiction to declare that an EU act, such as a commission decision, is invalid. Consequently, where a national authority or the person who has brought the matter before the national authority considers that a commission decision is invalid, that authority or person must be able to bring proceedings before the national courts so that they may refer the case to the Court of Justice if they too have doubts as to the validity of the Commission decision. It is thus ultimately the Court of Justice which has the task of deciding whether or not a commission decision is valid.”
With that, the court invalidated Safe Harbor.
Schrems and 25,000 other Facebook users in Europe are taking on the social media giant claiming the company invaded their privacy by participating in the NSA’s PRISM dragnet surveillance program, among other invasions.
“Basically we are asking Facebook to stop mass surveillance, to [have]a proper privacy policy that people can understand,” Schrems told AFP, “but also to stop collecting data of people that are not even Facebook users.”
