The European Court of Justice (ECJ) has issued its ruling concerning the validity of the EU-US Safe Harbour data storage agreement. Following recommendations made in the Advocate General’s (AG) Advisory Opinion on 24 September, the ECJ has declared the agreement invalid as it compromises EU data standards and citizens’ fundamental rights to privacy.
The case concerned a challenge taken by Austrian student Max Schrems against the Irish Data Protection Commissioners (DPC). Mr. Schrems’ original action concerned the DPC’s refusal to investigate a complaint made relating to the way in which Facebook –whose European operations are based in Ireland – stores and transfers European users’ information to US surveillance agencies, including the National Security Agency, as alleged by US whistleblower Edward Snowden. Schrems initially issued proceedings for judicial review against the DPC in the Irish High Court, which referred the case to the ECJ for clarification on the reconciliation of citizens’ rights to privacy and data protection and the ‘Safe Harbour’ Principles agreed between the EU and US governments. The AG had previously recommended that the practice be declared invalid.
Safe Harbour permits US companies to transfer data outside of the EU provided they have “self-certified” that the data will receive a guaranteed level of protection. The allegations made by Edward Snowden concerning the NSA’s mass surveillance PRISM programme have prompted concern that European citizens’ private information is being given to the NSA as part of this programme. The ECJ ruled that these revelations alleging US intelligence agencies had access to the transferred data violated the EU’s data protection directive and Articles 7 and 8 of the EU Charter of Fundamental Rights.
The ECJ found that the DPC was incorrect in failing to investigate Mr. Schrems’ original complaint. The Court held that the DPC could not claim to be “absolutely bound” by the Safe Harbour provision and it must be possible for national authorities to halt the transfer of individuals’ private data out of the EU to US security agencies. The case will now revert to the High Court to instruct the DPC to fully investigate the claim and conclude whether the Facebook’s data transfer arrangement should be suspended.
Facebook responded by calling for greater legal clarity on the Safe Harbour guidelines. Whilst the ECJ ruling does not render data transfers illegal immediately, it creates a great deal of legal uncertainty for corporations adhering to the Safe Harbour principles. The ruling also emphasises the role national supervisory authorities must play in protecting EU citizens’ private data.
Click here to read the full ECJ judgment.
Click here to read a previous Bulletin article on the Protective Costs Order granted in the Schrems case.