The European Court of Justice has cast doubt on an agreement giving US companies access to the online information of millions of EU citizens.
The Luxembourg-based court said the Safe Harbour treaty between the US and EU, which came into force in 2000, should not prevent Europe’s national privacy watchdogs from checking US firms were taking adequate data protection measures.
It also said US public authorities were not subject to the agreement and added consideration should be given to suspending the transfer of Facebook users’ data from Europe to America.
Here are some of the key questions answered.
:: Why was this case taken?
A legal challenge was launched by Austrian privacy activist Max Schrems over concerns that the social network Facebook might be sharing European’s personal data with US cyberspies. He took the matter to the authorities in Dublin because every Facebook user outside the US and Canada has a contract with Facebook Ireland, allowing the firm to avoid paying US income tax on foreign profits.
European law provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data.
:: Who is Max Schrems?
A former law student who has launched a campaign to protect privacy of European citizens. He was studying in the US and wrote a paper on Facebook’s alleged privacy issues and has become a well-known thorn in the side of one of the world’s most profitable companies.
He is behind a data privacy campaign Europe v Facebook.
How did the case get to Europe?
The High Court in Dublin referred questions raised by a case taken there by Mr Schrems over the alleged mass transfer of personal data to US intelligence services to the European Court of Justice.
He had argued that Ireland’s Data Protection Commissioner, Billy Hawkes, wrongly refused to investigate whistleblower Edward Snowden’s claims that Dublin-based Facebook International had passed on its EU users’ data to the US National Security Agency as part of its Prism surveillance programme.
The transfer of data from firms in the EU to the US is subject to the transatlantic Safe Harbour arrangement dating back to 2000.
:: What is Safe Harbour?
An agreement between the EU and US to streamline how US firms received data from Europe without breaking its rules.
The EU prohibits personal information from being transferred to and processed in places that do not provide adequate privacy protections.
Safe Harbour was introduced to allow US firms to self-certify that they are carrying out the required steps.
More than 5,000 companies make use of the arrangement to allow data transfers.
:: What did the court say about Safe Harbour?
United States public authorities are not themselves subject to the agreement. National security, public interest and law enforcement requirements of the United States prevail over the Safe Harbour scheme, so that United States is “bound to disregard” the protective rules laid down by that scheme where they conflict.
The judgment said the scheme enables interference, by United States public authorities, with fundamental rights.
:: How do the judges know that?
The US authorities were able to access the personal data transferred from EU member states to the US and process it in a way “incompatible” with the purposes for which it was transferred and beyond what was strictly necessary and proportionate to the protection of national security.
Also, the Commission noted that the persons concerned had no administrative or judicial means of redress enabling the data relating to them to be accessed and rectified or erased.
:: What happens now?
The Irish authorities are required to re-examine Mr Schrems’ complaint and consider whether transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.