The court said leaks from Edward Snowden, the former contractor for the National Security Agency, made it clear that USA intelligence agencies had nearly unfettered access to the data, infringing on Europeans’ rights to privacy.
Advertisement
Mr Schrems claimed Ireland’s data watchdog had an onus to uncover what information Facebook held on users and ultimately what was being transferred to the USA under Safe Harbour and being accessed through Prism.
“Losing Safe Harbor would be hugely disruptive to all sorts of business”, said a representative of a U.S.-based cloud services company. Schrems sought a judicial review of the decision from the Irish high court, which in turn asked the CJEU to rule whether the DPC was right to defer to the Commission’s Safe Harbor agreement or whether it should have investigated the complaint.
In its ruling, the ECJ says: “Without needing to establish whether that scheme ensures a level of protection essentially equivalent to that guaranteed within the European Union, the Court observes that the scheme is applicable exclusively to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it”.
Since 2000, a “Safe Harbor” agreement has allowed US companies to store personal data on European nationals as long as the companies comply with a specific set of rules to minimize abuse.The decision could have far-reaching consequences affecting many other British and Irish companies, legal experts have said. But its underlying rationale, that the USA is an unsafe place for European citizens’ personal data, could have a wider impact.
“Europe’s high court just struck down a major law routinely abused for surveillance”, Snowden tweeted on Tuesday, adding that “we are all safer as a result”.
“The biggest casualties will not be companies like Google and Facebook because they already have significant data center infrastructure in countries like the Republic of Ireland, it will be medium-sized, data-heavy tech companies that don’t have the resources to react to this decision”.
In an interview with the BBC broadcast Monday, Snowden said he was ready to go to prison if US authorities would accept a plea bargain.
“In the light of the ruling we will continue this work towards a renewed and safe framework for the transfer of personal data across the Atlantic”, he said.
“The Court of Justice declares that the Commission’s U.S. Safe Harbor Decision is invalid”, it said in a statement.
Schrems insisted he was never seeking to strike a blow to Facebook. All firms had to do was self-certify that they would protect European Union citizens’ data with “adequate” privacy protection, a process that campaigners have challenged for years as inadequate.
Advertisement
“Companies have worked under this agreement for 15 years”, said Christian Borggreen, Europe director at the Computer and Communications Industry Association, a lobby group based in Washington and Brussels.
