The European Court of Justice ruled on Tuesday that the US does not provide sufficient protection for transferred personal data of EU citizens. The EU Safe Harbor decision is therefore invalid, which could have major consequences for internet companies.
The American companies have subscribed to the Safe Harbor protection, but government agencies are not subject to it, according to the Court. The European Court of Justice points out that US national security, public interest and investigative powers override those of the Safe Harbor principles. In the event of conflicts with those powers, the US must therefore ignore the protective measures of the Safe Harbor provisions, argues the CJEU.
American companies such as Google, Facebook and Microsoft are allowed to process data from European users because the European Commission has designated the US as a country where it is sufficiently guaranteed that data is adequately protected. The EU did so in decision 2000/520/EC of 2000, with reference to the Safe Harbor or Safe Harbor principles.
The Austrian Maximillian schrems found that Facebook data in the US was not in good hands. Facebook violated European privacy rules, he claimed. He referred to the revelations of Edward Snowden and that the US State has large-scale access to user data. The NSA intelligence service would have access to servers of American tech companies, among other things, through the Prism eavesdropping program.
Schrems lodged a complaint with the Irish privacy watchdog, the Irish Data Protection Commissioner, but the complaint was rejected. The European headquarters of Facebook is located in Ireland. Schrems then went to the country’s Supreme Court, which referred the case to the European Court of Justice.
The judgment was preceded by a recommendation from the Advocate General of the CJEU, Yves Bot. The Court usually adopts the advice. The Advocate General noted that both the Irish Supreme Court and the European Commission had already established that the US collects data from EU citizens on a large scale, without adequate protection. The fact that the European Commission recognizes that protection is not sufficient would also be apparent from the fact that the EU and the US are renegotiating to improve safeguards.
The Advocate General also stated that regardless of the decision, national regulators have the power to independently investigate complaints about the level of protection in the transfer of data. That advice has also been adopted by the European Court of Justice.