Advertisement
Dominic Lipinski
we're watching you

Europe's top court has torn up the rules on how US tech giants use your data

All eyes are now on the Irish privacy watchdog.

Updated 11.51

EUROPE’S TOP COURT has effectively torn up the transatlantic deal thousands of tech companies like Facebook use to transfer customer data to the US on the grounds it doesn’t offer users enough privacy protection.

The European Court of Justice (ECJ) has declared the so-called ‘safe harbour’ scheme invalid following spying revelations from former National Security Agency (NSA) analyst-turned whistleblower Edward Snowden.

It said the 15-year-old agreement, which allowed tech companies to automatically shift users’ data to servers in the US, worked against the fundamental rights of EU citizens.

Under the scheme, firms like Facebook, Google and Twitter only needed to provide guarantees they were offering similar protections on data stored in the US to information kept in Europe. An estimated 4,400 businesses have come to rely on the regime.

However once the data was sent offshore, there was in practice nothing stopping US authorities from trawling private details – even if the surveillance would have been illegal in the EU.

The ruling stemmed from a case Austrian privacy activist Max Schrems, 28, brought against Ireland’s Data Protection Commissioner over the automatic transfer of his Facebook data offshore.

Europe Facebook Lawsuit Schrems, left, at the ECJ for the ruling today. Geert Vanden Wijngaert / AP Geert Vanden Wijngaert / AP / AP

Spying allegations

The Irish authority had rejected Schrems’ request to investigate Facebook after the social network was allegedly caught up in the NSA’s spying operations. He appealed the decision to the High Court, which referred a number of questions to the ECJ.

In 2013 it was revealed the secretive NSA had been tapping into the servers of firms including the social network, Google and Microsoft as part of its surveillance programmes.

Today the ECJ said Irish authorities now had to rule with “due diligence” whether the transfer of data from Facebook’s European subscribers to the US should be suspended “on the ground that that country does not afford an adequate level of protection of personal data.”

“YAY,” Schrems, a member of the group Europe vs Facebook, tweeted after the judgment.

The Irish connection

Facebook’s European headquarters is located in Dublin and users in the region agree terms with the company’s local arm when they first sign up.

The decision puts the onus on national authorities to deal with privacy complaints as data transfers from the EU to the US are no longer rubber-stamped by Brussels.

In particular, there will be huge pressure on the Irish Data Protection Commissioner’s office when it comes to handling European internet users’ private information.

As of the end of last year, the privacy watchdog had a staff of 31 housed above a supermarket in Portarlington. Its budget was doubled this year and it has since recruited 18 more workers as well as opening a second, Dublin office.

Court to rule on Facebook privacy The Data Protection Commissioner's offices in June 2014. Niall Carson / PA Archive Niall Carson / PA Archive / PA Archive

Earlier this year Twitter told roughly 240 million users outside the US that their account details were being handled by its Dublin-based subsidiary under Irish privacy and data-protection laws.

As well as offering favourable tax setups to multinationals, Ireland is also seen as offering a more soft-touch approach to privacy regulations than officials in continental Europe.

A milestone

In a statement after the ruling, Schrems said the decision would hopefully prove a “milestone” in online privacy, clarifying that “mass surveillance violates our fundamental rights”.

“The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it,” he said.

The judgment is also a victory against the Irish Data Protection Commissioner (DPC), who has maintained until the end of the procedure, that this case should not be dealt with because it was ‘frivolous’. The Irish DPC has a clear duty to do its job and protect our privacy under EU and Irish law.”

Responding to the judgment, Data Protection Commissioner Helen Dixon said in declaring the old safe harbour rules invalid the judgment had implications “far beyond” Schrems’ case in Ireland.

“In that regard, my office will immediately engage with our colleagues in other national supervisory authorities across Europe to determine how the judgment can be implemented in practice, quickly and effectively, particularly insofar as it impacts on EU-US data transfers,” she said.

European and US officials have already been trying to nut out a new transatlantic data transfer deal to replace the safe harbour regime, but no agreement has been struck.

- With AFP

- First published 9.19am

Read: Shirts ripped off the backs of Air France executives

Read: Irish-born scientist given a Nobel Prize for his work fighting a horrible parasite

Your Voice
Readers Comments
61
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.