Court strikes down U.S./EU “Safe Harbor” Agreement
The European Union Court of Justice this week struck down the “Safe Harbor” data transfer agreement, saying the fifteen year old deal does not adequately protect its citizens’ data from mass surveillance by U.S. authorities.
The Court stated that the data agreement “enables interference, by United States public authorities, with the fundamental rights of persons” to privacy, and “must be regarded as compromising the essence of the fundamental right to respect for private life.”
Further, “the Court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection.”
According to Reuters, “many companies, both U.S. and European, use the Safe Harbor system to help them get around cumbersome checks to transfer data between offices on both sides of the Atlantic. That includes payroll and human resources information as well as lucrative data used for online advertising, which is of particular importance to tech companies.”
The ruling comes in response to a lawsuit filed by Austrian law student & Facebook user Max Schrems, “who challenged Facebook’s transfers of European users’ data to its American servers because of the risk of U.S. snooping, in light of Snowden’s revelations in 2013,” according to the Reuters report.
Said Schrems in response to the ruling, “This judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights.”
The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it.
This decision is a major blow for US global surveillance that relies on private partners. The judgement makes clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights.
At the same time this case law will be a milestone for constitutional challenges against similar surveillance conducted by EU member states.
There are still a number of alternative options to transfer data from the EU to the US. The judgement makes it clear, that now national data protection authorities can review data transfers to the US in each individual case – while ‘safe harbor’ allowed for a blanket allowance.
Schrems filed his complaint with the Irish Data Protection Commissioner, which the Court has now ruled must decide whether “transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.”