A trans-Atlantic pact that potentially allows US spies to get their hands on European citizens' private data was declared illegal by the EU's highest court, in a ruling that threatens to plunge internet companies into a legal limbo.
Judges at the European Union's top court struck down the so-called safe-harbour accord after a 28-year old Austrian law student complained about how US security services can gain unfettered access to Facebook customer information sent to the US.
The 15-year-old agreement compromises the privacy of EU citizens and their right to challenge the use of their information, the EU Court of Justice said in a ruling in Luxembourg on Tuesday.
"This judgment is a bombshell," said Monika Kuschewsky, special counsel at lawfirm Covington & Burling in Brussels. "The EU's highest court has pulled the rug under the feet of thousands of companies that have been relying on Safe Harbour. All these companies are now forced to find an alternative mechanism for their data transfers to the US. And, this, basically overnight."
The EU's top court has been weighing the validity of the data-sharing accord following revelations by former National Security Agency contractor Edward Snowden about US government surveillance activities and mass data collection. An Irish judge last year called on the EU's tribunal to decide whether the deal still protects privacy and whether national regulators have the power to suspend illegal data flows from the EU to the US.
'Fundamental right'
US legislation "permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life," the EU court said in a binding ruling. The pact "is accordingly invalid."
Austrian privacy activist Max Schrems, triggered the case with a complaint he filed against Facebook with the privacy watchdog in Ireland, where the US social network company has its European base. He alleged that Facebook's Irish unit illegally handed over data to US spies. Schrems had previously filed 22 complaints against the California-based company.
"This judgment draws a clear line," Schrems said in an emailed statement. "It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible."
The law student celebrated his win on Twitter:
*YAY* #CJEU on #SafeHarbor: SH invalid. DPC had to investigate. #EUdataP— Max Schrems (@maxschrems) October 6, 2015
Facebook, like other tech giants Google and Yahoo!, have been reeling from the effects of the Snowden revelations in 2013. The companies have been trying to assure their users or customers that their products are secure and that they don't willingly turn over data to the government.
In a series of tweets, Snowden welcomed the judgement.
Congratulations, @MaxSchrems. You've changed the world for the better. http://t.co/HmGpRq5Dgt pic.twitter.com/rTLYHhvmoY— Edward Snowden (@Snowden) October 6, 2015
This is the second time in as many years the world has relied upon #CJEU to defend digital rights. Thank you Europe. #DataRetentionDirective— Edward Snowden (@Snowden) October 6, 2015
'Bad news'
"This is extremely bad news for EU-US trade," said Richard Cumbley, Global Head of Technology, Media and Telecommunications at Linklaters. "Thousands of US businesses rely on the Safe Harbour as a means of moving information to the US from Europe. Without Safe Harbour, they will be scrambling to put replacement measures in place."
The European Commission and the US mission to the EU in Brussels declined to immediately comment.
The case concerns all US companies that are certified under Safe Harbour -- there are more than 4000 such companies.
The case is: C-362/14, Maximilian Schrems v. Data Protection Commissioner.
Bloomberg