EU court strikes down transatlantic data deal in Facebook case

LUXEMBOURG – Agence France-Presse

Max Schrems, left, and his lawyer Herwig Hofmann, right, walk in the hallway after a ruling at the European Court of Justice in Luxembourg on Tuesday, Oct. 6, 2015. AP Photo

The European Union’s top court on Oct. 5 ruled that a key transatlantic data sharing deal relied on by companies such as Facebook was invalid in the light of spying revelations in the Edward Snowden scandal.

In a major blow to U.S. tech firms, the court said the 2000 “Safe Harbor” agreement between the United States and the EU did not sufficiently guarantee the protection of Europeans’ personal data and must be struck out.

The stunning decision stems from a David-and-Goliath complaint against social media giant Facebook lodged against Irish authorities by Max Schrems, an Austrian law student privacy campaigner.

“The Court of Justice declares that the (European) Commission’s US Safe Harbor Decision is invalid,” the European Court of Justice in Luxembourg said in its three-page judgment.

The court said Irish authorities now had to decide whether transfer of data from Facebook’s European subscribers to the United States should be suspended “on the ground that that country does not afford an adequate level of protection of personal data.”   

“YAY,” Schrems tweeted after the judgment.

He later said in a statement that the decision was a “milestone when it comes to online privacy.”

“It clarifies that mass surveillance violates our fundamental rights. This decision is a major blow for U.S. global surveillance that heavily relies on private partners,” he said.

Schrems filed the case against Ireland’s data protection authority because Facebook’s European headquarters are based there.

Major U.S. web giants including Facebook and Apple have set up headquarters in Ireland to take advantage of favorable tax laws. Facebook data is then transferred to servers in the United States.

But Schrems had argued that the 15-year-old Safe Harbor deal is too weak to guarantee the privacy of European residents in the wake of details provided by former U.S. National Security Agency (NSA) contractor and whistleblower Snowden.

The data deal allows data transfers by thousands of businesses on the grounds that U.S. laws offer similar protection to those in the 28-nation European Union.

The European Commission - the executive arm of the EU - is widely expected to announce the imminent agreement of a new version of the Safe Harbor pact with the United States.

There was no immediate reaction to the judgment from Washington, but last month the United States said an opinion by the EU court’s top legal counsel which reached similar conclusions was based on “inaccurate assertions.”

The case comes amid widespread tensions between Brussels and Washington on issues of regulation, with several EU anti-trust probes currently underway into U.S. tech firms.

“The United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens,” the US mission to Brussels said in a statement last week.

“We fully respect the European Union’s legal process; however, we believe that it is essential to comment in this instance because the Advocate General’s opinion rests on numerous inaccurate assertions about intelligence practices of the United States.”

Snowden, who remains wanted by the United States and currently lives in Moscow, opened a Twitter account last week, just days before the judgment.

His revelations showed that the NSA’s PRISM program used Silicon Valley giants Apple, Google and Facebook to gather user data.

In the wake of the scandal, the EU and Washington began talks to revamp Safe Harbor.