EU court invalidates EU-US data transfer pact

Judges in Luxembourg on Tuesday (6 October) delivered a blow against a 15-year old EU-US data transfer pact.

The European Court of Justice (ECJ) rejected the so-called Safe Harbour agreement and declared it invalid.

Privacy campaigner Max Schrems, whose complaint against Facebook Ireland initiated the case, said the judgment “clarifies that mass surveillance violates our fundamental rights".

He said the judgement makes it "clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights".

The EU judges said Ireland’s court must now decide whether to suspend the transfer of data from Facebook to the United States.

The verdict also affects some 4,400 US firms that have signed up to the self-certification agreement.

Safe Harbour is supposed to provide an “adequate” level of protection whenever data from EU citizens is transferred to the US.

EU data protection authorities had no power to investigate compliance.

But the Luxembourg judges said national supervisors authorities “must be able to examine, with complete independence” the transfer of data to US.

The pact has come under intense scrutiny following 2013 media revelations of mass and indiscriminate spying by the US intelligence services on EU citizens.

The scandal revealed the Maryland-based National Security Agency (NSA) obtained access to data of EU citizens held by big US firms like Apple, Facebook, Google and others.

Known as Prism, the top-secret programme allowed NSA officials to collect search history, live chat, file transfers, and the content of emails.

The case stems from a complaint filed by Schrems to Ireland’s data protection authority against Facebook Ireland in June 2013.

Schrems argued Facebook does not protect his data given the secret Prism programme. Facebook’s Irish subsidiary servers are located in the US, where his data is stored.

Ireland’s data chief dismissed the case a month later because Facebook had signed up to Safe Harbour. Schrems appealed and the Irish High Court then asked the Luxembourg-based court to intervene.

Companies in the scheme declare they respect the data protection guidelines.

But their claims are not subject to any compulsory independent verification. Instead, the companies police themselves.

One study showed hundreds of the US companies lied about belonging to the programme.

So far, the US Federal Trade Commission (FTC) brought 37 cases for making false claims.

The US government enforcement body also has no oversight powers in sectors like financial services, transport, and telecommunications.

The European Parliament wants the agreement scrapped.

"Today's ECJ ruling is the nail in the coffin of Safe Harbour”, said Dutch liberal MEP Sophie In' t Veld i.

German Green MEP Jan Phillip Albrecht i, who steered the parliament's data protection reforms, said the [European] Commission and the Irish data protection commissioner must "immediately move to prevent any further data transfers to the US in the framework of Safe Harbour".

The Commission in 2014 threatened to suspend it, but then issued 13 recommendations to the US on how to improve it.

Almost two years later and talks are still ongoing, in part, because the US does not want to tinker with national security exemptions.