LUXEMBOURG: The European Union’s highest court ruled yesterday in favour of an Austrian law student who claims a transatlantic data protection agreement doesn’t adequately protect consumers, a verdict that could have far-reaching implications for tech companies doing business in Europe.
Student Max Schrems launched the case following revelations two years ago by former US National Security Agency contractor Edward Snowden about the NSA’s surveillance programmes.
Schrems complained to the data protection commissioner in Ireland, where Facebook has its European headquarters, that US law doesn’t offer sufficient protection against surveillance of data transferred by the social media company to servers in the US.
Irish authorities initially rejected his complaint, pointing to a 2000 decision by the EU’s executive commission that, under the so-called “safe harbour” agreement, the US ensures adequate data protection.
The agreement has allowed for the free transfer of information by companies from the EU to US.
It has been seen as a boost to trade since in the absence of such a deal, swift and smooth data exchange over the internet would be much more difficult. Yesterday, the European Court of Justice ruled the decision by the commission invalid. It said that the “safe harbour” deal enables interference by US authorities with fundamental rights and contains no reference either to US rules to limit any such interference or to effective legal protection against it.
The court said the effect of the ruling is that the Irish data commissioner would now be required to examine Schrems’ complaint “with all due diligence”. Once it has concluded its investigation, the authority must “decide whether… transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that country does not afford an adequate level of protection of personal data”, the court said in a summary of its ruling. Facebook said it couldn’t immediately comment.
Schrems said he hoped the ruling would be a milestone for online privacy.
“This decision is a major blow for US global surveillance that heavily relies on private partners,” Schrems said. The judgment makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights.”
However, he noted that the ruling doesn’t bar data transfers from the EU to the US, but rather allows national data protection authorities to review individual transfers.
“Despite some alarmist comments I don’t think that we will see mayor disruptions in practice,” Schrems said.
Sophie In’t Veld, a leading Liberal lawmaker in the European Parliament, welcomed the ruling and called the “safe harbour” decision “a travesty of legality. We need clear rules to govern the transfer of personal data to the US and other non-EU countries,” she said. – AP