US data storage systems operated by Facebook and other digital operators do not provide customers with protection from state surveillance, the European court of justice has ruled.
The declaration by the EU court in Luxembourg that privacy is being compromised will have far-reaching consequences for the online industry and could force many companies to relocate their operations.
Declaring the American so-called safe harbour scheme “invalid”, the ECJ, whose findings are binding on all EU members states, ruled that: “The United States … scheme thus enables interference, by United States public authorities, with the fundamental rights of persons…”
Safe harbour is an agreement between the European commission and the US that provides guidance for US firms on how to protect for the personal data of EU citizens as required by the European Union’s directive on data protection. There are negotiations going on to upgrade the framework and provide better privacy for online users.
The ruling, confirming an earlier opinion by the court’s advocate-general last month, is a victory for the Austrian campaigner Maximilian Schrems, who initially brought a claim against Facebook in Ireland in the wake of Edward Snowden’s revelations about the activities of the US National Security Agency (NSA).
The ECJ ruling said: “The safe harbour decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals.
“… This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.”
Responding to the judgment, the Liberal Democrat MEP Catherine Bearder commented: “This is a historic victory against indiscriminate snooping by intelligence agencies, both at home and abroad. In a globalised world, only a strong and binding international framework will ensure our citizens’ personal data is secure.”
Monika Kushewsky, a data privacy lawyer team with the firm Covington, said: “This judgment is a bombshell. The EU’s highest court has pulled the rug under the feet of thousands of companies that have been relying on safe harbour. All these companies are now forced to find an alternative mechanism for their data transfers to the US. And, this, basically overnight, as the court has declared the commission decision on safe harbour invalid without providing for any transitional period.”
Mike Weston, chief executive of the data science consultancy Profusion, said: “American companies are going to have to restructure how they manage, store and use data in Europe and this take a lot of time and money. The biggest casualties will not be companies like Google and Facebook because they already have significant data centre infrastructure in countries like the Republic of Ireland, it will be medium-sized, data-heavy tech companies that don’t have the resources to react to this decision.” Mark Thompson, privacy practice leader at KPMG, said: “Europe [is] taking a strong stance in ensuring that European citizens are provided the same level of protection no matter where the processing of their personal information takes place.
“At the foundation of this is the need for global organisations to take privacy seriously, creating an environment which respects the rights of the individuals whose personal information they process regardless of the mechanism used to legitimise the transfer.”
The home affairs spokesman for the Greens in the European parliament, Jan Philipp Albrecht, said: “Safe harbour enabled masses of Europeans’ personal data to be transferred by companies like Facebook to the United States over the past 15 years. With today’s verdict it is clear that these transfers were in breach of the fundamental right to data protection. It is now up to the commission and the Irish data protection commissioner to immediately move to prevent any further data transfers to the US in the framework of safe harbour.
“It is now high time to pass a strong and enforceable framework for the protection of personal data in the course of the EU data protection reform and make clear to the United States that it has to deliver adequate legally binding protection in the private sector as well as to introduce juridical redress for EU citizens with regards to their privacy rights in all sectors including national security.”