The “Safe Harbour” framework—which is supposed to ensure data transfers from the EU to the US are legal under European data privacy laws—does not satisfy the EU’s Data Protection Directive as a result of the “mass, indiscriminate surveillance” carried out by the NSA. That’s the opinion of the Court of Justice of the European Union (CJEU) Advocate General Yves Bot, whose views are generally followed by the CJEU when it hands down its final rulings.
The case was sent to the CJEU by the High Court of Ireland, after the Irish data protection authority rejected a complaint from Maximillian Schrems, an Austrian citizen. He had argued that in light of Snowden’s revelations about the NSA, the data he provided to Facebook that was transferred from the company’s Irish subsidiary to the US under the Safe Harbour scheme was not, in fact, adequately protected. The Advocate General Bot agreed with Schrems that the EU-US Safe Harbour system did not meet the requirements of the Data Protection Directive, because of NSA access to EU personal data.
According to the CJEU statement (PDF link), “the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the [Charter of Fundamental Rights of the EU].” Another issue, according to the Advocate General, was “the inability of citizens of the EU to be heard on the question of the surveillance and interception of their data in the United States,” which therefore amounts to “an interference with the right of EU citizens to an effective remedy, protected by the Charter.”
Bot was also concerned about the lack of proportionality. Because the spying carried out by the United States intelligence services is “mass, indiscriminate surveillance,” an adequate level of protection isn’t available to EU citizens’ data sent by US companies from their European subsidiaries. As a result, the conditions laid down by the EU’s Data Protection Directive for legal transfers could not be met.
DigitalEurope, which represents the digital technology industry in Europe, said in a press release that 4,500 companies use the Safe Harbour scheme to transfer data to the US, and that it was “concerned about the potential disruption to international data flows,” if the CJEU follows the Advocate General’s recommendation.
However, commenting on today’s opinion, Schrems points out that not all data flows would be affected: “The end of this privileged status [Safe Harbour] would not mean that personal data cannot be transferred between the EU and the US.” That’s because Safe Harbour self-certification is only needed in certain circumstances: “Most transfers of personal data between the EU and the US, like communication, hotel bookings, bank transfers and almost all other forms of necessary data transfers, are always possible under a long list of exceptions in the current EU law.” Moreover, Schrems claims: “Removing ‘safe harbor’ would mainly mean that US companies have to play by rules that are equal to those their competitors already play by and that they cannot aid US mass surveillance.”
Even before this opinion, the European Commission was already trying to re-negotiate the Safe Harbour agreement with the US. The Advocate General noted: “If the Commission decided to enter into negotiations with the United States, that is because it considered beforehand that the level of protection ensured by that third country, under the safe harbour scheme, was no longer adequate.”
Schrems points out that if the CJEU follows this opinion, it could have even wider implications: “As the advocate general has very much relied on fundamental rights arguments this clarification may, if confirmed by the court, be binding not only for the European Commission but also for the European Legislature in the ongoing reform of the EU’s data protection laws.”
That’s an impressive result for one person’s dogged attempt to get Facebook to take privacy seriously—something that was made possible by crowdfunding the legal costs. Everything now hinges on the definitive ruling by the CJEU, expected later this year.