In order to address the fact that the United States does not have a data protection law, but that US companies need to deal with Europeans whose data is protected by the EU Data Protection Directive, the Safe Harbor Framework was thrashed out in 2000 between the European Commission and the US Department of Commerce. It aimed to ensure that US firms complied with EU data protection laws when handling EU citizen’s data.
In 2012, Austrian student and leader of the group ‘Europe vs Facebook’, Maximilian Shrems, took Facebook to court in Ireland over Edward Snowden’s revelations that Facebook passed vast amounts of its users’ data to the NSA, as part of its PRISM surveillance operation.
The Irish Data Commission ruled against him, saying that the Safe Harbor Agreement provided for adequate protection of European’s data.
Last year, however, Shrems successfully appealed against this decision to the High Court of Ireland, who referred the case to the European Court of Justice (ECJ) on the grounds that the evidence suggested data was routinely accessed on a ‘mass and undifferentiated basis’ by the US security authorities.
The ECJ’s justice’s advocate general, Yves Bot, yesterday issued an important Opinion that supports Shrem’s case,
“The access of the United States intelligence services to the data transferred covers, in a comprehensive manner, all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security. Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by articles seven and eight of the charter [of fundamental rights of the EU].”
Crucially, Bot found that the Safe Habor Agreement did not provide Europeans with any judicial protections from NSA-style “mass, indiscriminate surveillance”. Although Bot’s findingsrequire formal ratification by the ECJ before they are binding in all EU counties, it would be unusual for the Court to follow his opinion.
So where does leave the 4500 or so companies that rely on Safe Habor Agreement to do business? A report on the finding by Digital Europe, an advocacy group for technology companies in Europe says that,
“We are concerned about the potential disruption to international data flows if the Court follows today’s Opinion. In addition to the disruption a Court ruling would have on international data flows, it would also frustrate the creation of the Digital Single Market in Europe because it would fragment Europe’s approach to data flows out of the EU.”
In a firstresponse to news of the Opinion, however, Shrems was quick to counter this notion,
“Most transfers of personal data between the EU and the US, like communication, hotel bookings, bank transfers and almost all other forms of necessary data transfers, are always possible under a long list of exceptions in the current EU law… Removing ‘safe harbor’ would mainly mean that US companies have to play by rules that are equal to those their competitors already play by and that they cannot aid US mass surveillance.”
The ruling comes on top of a long-running dispute between the European Parliament, which has been campaigning for the Safe Habor Agreement to be repealed due to widespread abuse of EU citizen’s data by private companies, and the European Commission, which has ignored these demands.