It looks like Max Schrems’ long-running fight to halt the transfer of his Facebook data from Europe, through Ireland, and on to the US has culminated in a resounding victory for the Austrian law student.
The Europe vs Facebook case revolves around Schrems’ realisation that his personal data was flowing right through Europe and on to the US, with scant regard for his personal privacy.
Under the terms of an EU/US deal called Safe Harbour, whereby data is sent across the Atlantic as long as the recipient has the proper protocols in place to ensure privacy and protection, Schrems has consistently pointed out the unfair situation he had found himself in.
With Edward Snowden’s lengthy and damaging revelations about just how indiscriminate the surveillance of pretty much everybody can get in the US, Schrems had argued that Safe Harbour should be irrelevant.
Europe vs Facebook through the houses
The Irish Data Commissioner though, to whom Schrems had originally brought his case as Facebook’s data regulation offices are based in the country, felt obliged to allow the data transfer to happen, as EU rules said it was allowed.
That led to Schrems driving his case up through the legal ladder until today’s opinion from European Court of Justice advisor Yves Bot, which argues that state data protection authorities have an obligation to protect the data of EU citizens, despite the Safe Harbour agreement.
It seems like now, Schrems has finally won.
*YAY* AG at the #CJEU: #SafeHarbor is invalid. Irish #DPC has a duty to investigate. Further details as soon as we get the written version.
— Max Schrems (@maxschrems) September 23, 2015
“After an initial review of the advocate general’s opinion of more than 40 pages it seems like years of work could pay off,” said Schrems. “Now we just have to hope that the judges of the Court of Justice will follow the advocate general’s opinion in principle.
“If the Safe Harbour system is gone, it is very likely that the data protection authorities in the 28 EU member states will not allow data transfers to US companies that are subject to mass surveillance laws. This may have major commercial downsides for the US tech industry.”
If Safe Harbour was to be removed it would not stop data transfers in totality, but it would stop the free flow that is currently in place.
US doesn’t offer sufficient security
Bot’s assessment of the situation was pretty clear, he said that state data protection bodies have a duty to step in and protect the rights of EU citizens if they feel the transfer undermines those rights.
Given the general acceptance that US protocols are a bit more emphatic than previously thought, that could render quite a lot of data transfers obsolete.
“The inability of citizens of the EU to be heard on the question of the surveillance and interception of their data in the United States amounts, in the Advocate General’s view, to an interference with the right of EU citizens of the to an effective remedy, protected by the Charter,” said Bot.
“According to the Advocate General, that interference with fundamental rights is contrary to the principle of proportionality, in particular because the surveillance carried out by the United States intelligence services is mass, indiscriminate surveillance.”
Main image via Shutterstock