The European Court of Justice, Europe’s highest court, has just shot down the Safe Harbor, an arrangement between the European Union and the United States allowing for the transfer of personal data, in a case against Facebook. This has the potential to transform arguments between the E.U. and United States over privacy and surveillance. The decision is complex, and lawyers will be arguing over its more subtle implications for years. Here’s a first take on the main points (we talk about the background in a separate post).
The European Court of Justice has found that U.S. surveillance breaches the fundamental rights of European citizens.
This is the clearest and most important implication of the ruling. The court’s fundamental problem with the Safe Harbor arrangement is that there aren’t any real protections for European citizens under U.S. law. When European citizens’ personal data is transferred to the United States, U.S. authorities have “access on a generalised basis” to it, without any opportunities for European citizens to control how they use it or seek redress in the courts. The Safe Harbor arrangement specifically says that when U.S. laws (such as laws allowing U.S. authorities to demand access to foreigners’ data) conflict with the Safe Harbor, the Safe Harbor loses. Hence, from the court’s perspective, Safe Harbor doesn’t provide any protection against U.S. government measures that compromise “the essence of the fundamental right to respect for private life.” This means that the European Commission was acting beyond its powers when it agreed to Safe Harbor in the first place.
European citizens and privacy officials can challenge international privacy deals.
One of the key issues in the case that led to the ruling was the refusal of Ireland’s “data protection commissioner” — the official effectively charged with protecting the privacy of European citizens who use Facebook, Google, etc. — to consider whether or not Safe Harbor broke European privacy law. The commissioner claimed that Irish legislation prevented him from doing so. The European Court of Justice didn’t like this — at all. It has laid out a clear pathway through which European privacy officials and European citizens can challenge commission decisions (e.g. on whether a third country has sufficiently high privacy standards). If a citizen objects, she can bring her complaint to the relevant data protection commissioner. If the commissioner agrees with her objection, he can seek court action that will allow the European Court of Justice to consider the complaint. If the commissioner disagrees, the citizen should be able to appeal to the courts, again allowing the European Court of Justice to consider the complaint (and whether to declare the decision invalid).
Read the full piece at The Washington Post.