Bye bye Safe Harbour – ECJ says DPC must act on Schrems

6 Oct 2015

The European Court of Justice (ECJ) has landed a fairly heavy blow to the now much-maligned EU-US data transfer Safe Harbour agreement, finding that local privacy watchdogs can check on resident US companies’ data protection measures.

In a case that was going to have significant fall out no matter which way the ECJ decided, ruling against the European Commission’s (EC) decision to respect Safe Harbour will cause chasms in the EU, and consternation across the Atlantic.

Two key lines are included in the pre-judgement release from the court, vindicating Max Schrems’ arduous task of taking the Irish data protection commissioner (DPC) to task for not investigating his Facebook concerns adequately.

Oversight a requirement

“The Court states, first of all, that no provision of the directive prevents oversight by the national supervisory authorities of transfers of personal data to third countries which have been the subject of a Commission decision,” effectively overruling anybody who thinks saying ‘Safe Harbour’ at any data privacy concerns is enough to win the argument.

“Thus, even if the Commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive.”

The DPC always argued, though, that action could not be taken due to a European Commission decision, which no longer applies now that the ECJ has overruled it. The court went so far as to say only it could make this decision, vindicating the DPC’s actions.

Schrems investigation required

The statement goes on to emphasise that the DPC in Ireland must examine Schrems’ complaint “with all due diligence”.

If it finds that the transfer of Facebook user data from the EU to the US “does not afford an adequate level of protection of personal data”, it should suspend it.

And so other companies like Google, Twitter, Apple, et al. – each with prominent bases in Ireland – will most likely have to adapt to growing investigations from local data protection bodies.

How did we get here?

For context, this stems from Schrems’ decision that, on the back of Edward Snowden’s lengthy revelations, his personal Facebook data, when transferred from Austria, through Dublin and on to the US, was not afforded the right level of protection.

Under Safe Harbour, companies registered under the agreement can send their data from the EU to the US free from interference.

The EU forbids personal data from being transferred outside of its borders unless it finds that the end locations offer “adequate” protections.

The US doesn’t, but in order to “streamline” data flows this transatlantic agreement was put together back in 2000.

Since then, plenty has changed and, with the onset of widespread social media adoption, it means a lot of our personal information is under direct surveillance in the US. Worse still, EU citizens have no rights to bring a case against the unlawful use of their data in the US.

A weakened agreement

Safe Harbour has been weakened almost daily ever since Snowden’s revelations, in particular of the NSA’s Prism programme.

This could be the final nail in its coffin, though, with the EU and US frantically trying to establish a new accord to replace an agreement that lacks all credibility this side of the Atlantic.

“This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence,” reads the ECJ statement.

“At the conclusion of its investigation, [it] is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.”

Main image via Shutterstock

Gordon Hunt was a journalist with Silicon Republic