On October 6, the European Court of Justice (ECJ) ruled that the safe harbour agreement—which provides a single standard for transatlantic data transfer and storage—between Europe and the U.S. is no longer valid. The ruling means that European countries can set their own regulations prescribing how the U.S. handles EU citizens’ data. “Safe harbour” status in the U.S. was called into question following the Edward Snowden revelations of routine NSA surveillance.
The European Court of Justice ruling came about after Austrian citizen and lawyer Max Schrems led a class action lawsuit against Facebook. In 2012, Schrems, then a law student, spent a semester in the U.S. at Santa Clara University where he heard a Facebook privacy lawyer speak.
Schrems was shocked by the lawyer’s limited grasp of the severity of data protection laws in Europe. He decided his thesis paper for the class would be about Facebook’s misunderstanding of privacy law in his home continent. In the course of his research, he discovered that Facebook’s dossiers on individual users are hundreds of pages long and include information users thought had been deleted. When he returned to Austria …he formed an activist group called Europe v. Facebook (to legitimize his campaign and make it seem like more than just one law student) and publicized his findings online, leading to widespread media attention, a probe by a European privacy regulator, and questions from Congress.
Schrems filed a complaint with the Irish Data Protection Commissioner (DPC), declaring the laws and practice of the U.S. do not offer sufficient protection against surveillance of personal data by public authorities. However, the DPC rejected the complaint because EU citizen data was under the protection of the Safe Harbour provision. Schrems applied for a judicial review and his case was referred to the European Court of Justice.
Many European data protection regulators, particularly those in Germany, have long believed that the conditions for the safe harbour scheme are not substantial enough, and the effect of today’s ruling will empower them to investigate and check the acceptability of any data transfer themselves.
In the judgment, the European Court of Justice agreed with Max Schrems about the protection of European citizens’ fundamental right to privacy and data protection once their data reaches the U.S. The Court granted additional methods of policing and intervention, and additionally, put pressure on the EU and U.S. to write a successor to Safe Harbour that enforces EU citizens’ fundamental rights to privacy and data protection wherever it is stored and processed.
Reacting to the Court’s judgement, Schrems said he hopes that it will become a milestone in online privacy. “This judgment draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible,” he said in a statement.
Download The Guide to Modern Endpoint Backup and Data Visibility to learn more about selecting a modern endpoint backup solution in a dangerous world.