Naked Security Naked Security

Safe Harbor agreement ruled invalid by top EU court

The European Union's highest court has ruled against the Safe Harbor agreement, saying it cannot be relied upon to adequately protect European citizens' data from US surveillance.

The European Union’s highest court has today ruled against the transatlantic Safe Harbor agreement which had allowed companies to transfer European citizens’ personal data to the US.

The decision, made by the European Court of Justice (ECJ), will affect thousands of companies which had been transfering a wide range of information under an agreement that allowed them to circumvent Europe’s much stricter privacy rules.

The agreement had been under the spotlight for some time, ever since ex-NSA contractor Edward Snowden began revealing how European data stored in the US was not safe from a level of government surveillance that would send shivers down the spines of European lawmakers.

Large tech firms including Apple, Facebook and Twitter are likely to feel the impact of the decision immediately, as it appears they must now abide by the individual data privacy regulations in each of the member states of the European Union.

The challenge of navigating twenty or more different sets of national data protection rules was recently highlighted by MEP Timothy Kirkhope of the European Conservatives and Reformists Group (ECR) who said:

The result of this ruling could be a patchwork of different regimes across Europe and different interpretations of how data should be stored and used. Court rulings often leave fragmentation in their wake which could be more damaging for businesses and consumers in the long run.

For US companies – or European companies transferring data to the US – trying to avoid that headache, the only other option that looks viable right now is the creation of data centres based within Europe which would allow EU data to stay within the Union rather than be transferred to the US. Or worse – some countries could even follow Russia’s lead in deciding that their citizens’ data must remain within their own borders.

The ruling comes after law student and privacy advocate Max Schrems brought a case against Facebook, saying his privacy had been violated by the NSA’s mass surveillance programs.

Though he is Austrian, Schrems brought the case in Ireland as the social network has its European headquarters in Dublin.

The country’s then Data Protection Commissioner, Billy Hawkes, rejected the case, saying Schrems couldn’t possibly know whether his own data had been spied on by the PRISM program. He pointed to an EU Executive Commission decision made in 2000 that stated that the US offered adequate data protection under the Safe Harbor agreement.

In a subsequent case, however, Schrems successfully argued before High Court Justice Gerard Hogan, who ruled that he could pursue his case further as the NSA’s aims and methods were not compatible with the Irish constitution, irrespective of whose data the agency may or may not have been spying upon. Justice Hogan escalated the case to the European Court of Justice.

And so, today the ECJ made its decision, electing to overturn the Irish Data Protection Commissioner’s ruling, saying that the Commissioner must now examine Schrems’ complaint “with all due diligence.”

Once it has concluded its investigation, the authority must, according to a summary of the ECJ ruling:

Decide whether, pursuant to the directive, transfer of the data of Facebook's European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

The ruling of the ECJ is final and cannot be appealed, though groups such as the ECR are hopeful that the EU and US can now work together to “find a [political] solution” that will be clear and consistent across all member states.

Speaking after the case, a jubilant Schrems said:

I very much welcome the judgement of the Court, which will hopefully be a milestone when it comes to online privacy. This judgement draws a clear line.

He did, however, point out that the judgement only applied to a limited set of situations, namely the transfer of EU data to US providers. This, he said, meant the typical consumer would not see any changes in their daily lives but they would be free from the possibility of mass surveillance.

Despite today’s massive success, Schrems is likely to be back in court again in the near future as his Europe vs Facebook group continues to pursue a class action lawsuit brought against the social network for alleged privacy violations across the Union.