TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Schrems Reacts to Advocate General's Opinion on Safe Harbor Related reading: Schrems v Data Protection Commissioner Just Got a Lot More Interesting

rss_feed
Webcon_PA_300x250_ad_Gigya
iapp-privacycore
PSR17_WebBanner_300x250-COPY

It's been a long road for Austrian student Max Schrems' group Europe v. Facebook, but today, Schrems is celebrating. European Court of Justice (ECJ) Advocate General Yves Bot has issued his opinion in a case originally filed by Schrems' group alleging the U.S. National Security Agency collected Europeans' data from Facebook in violation of EU law, and it looks like Schrems' work may not have been in vain. 

Bot agrees with Schrems, it seems, and if his opinion reflects the eventual opinion of the ECJ, it could mean big trouble for data transfers from the EU to the U.S., especially without changes to the role mass surveillance systems play in data access. 

It started in 2012, when then-little-known activist Schrems launched 22 complaints against Facebook, alleging it collected information from users they didn't realize was being collected, and demanded the company, with EU headquarters in Ireland, provide more information about the data it collects from users. Things heated up after the Snowden revelations in 2013. Schrems complained to Ireland's Office of the Data Protection Commissioner (DPC). Though the U.S. is technically considered an "adequate" country to export data to via Safe Harbor, Schrems claimed, the mechanism doesn't adequately protect that data because of U.S. intelligence agencies' access to it, and therefore the transfer is unlawful. And when Ireland's DPC refused to investigate, Schrems sued. So not only was Facebook's data-handling at issue but the very validity of the Safe Harbor data transfer agreement itself. The outcome of the case could have serious implications for the more than 4,000 companies relying on Safe Harbor, including Google, Apple and Microsoft. The case eventually reached Europe's highest court, the ECJ. 

Here's Schrems at the IAPP Europe Data Protection Congress in Brussels late last year, discussing the case. 

While many at the time perhaps dismissed Schrems, a college student in his early 20s staring down both a multibillion-dollar company and a widely used international data-transfer mechanism, Schrems was steadfast in his determination. And today, Bot opined: 

... in the light of the essential role played by the national supervisory authorities in the system put in place by Directive 95/46, they must have the power to order the suspension of the transfer of data where there is a proven breach or a risk of a breach of fundamental rights. 

Bot further concluded the EU's various data protection rules 

must be interpreted as meaning that the existence of a decision adopted by the European Commission ... does not have the effect of preventing a national supervisory authority from investigating a complain alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data.

In other words, the Irish DPC should have investigated the complaint Schrems made.

In a written analysis of the court's ruling, Schrems said "it seems like years of work could pay off. Now we just have to hope that the judges of the Court of Justice will follow the advocate general's opinion in principle." 

He was also quick to thanks those who played a key role in his case. 

Bots opinion is, however, nonbinding and is only followed by the court about 85 percent of the time, so Safe Harbor's fate remains to be determined for now. But as Schrems says in his reaction today, the ramifications could be large. 

“If the Safe Harbor system is gone, it is very likely that the data protection authorities in the 28 EU member states will not allow data transfers to U.S. companies that are subject to mass surveillance laws. This is may have major commercial downsides for the U.S. tech industry.”

Comments

If you want to comment on this post, you need to login.