The European Court of Justice’s advocate general yesterday said the “mass, indiscriminate” US surveillance of citizens’ data, as revealed by Edward Snowden, had raised serious concerns about the protection of personal information that was being transferred from Europe to the US.
If confirmed by the ECJ’s judges, AG Yves Bot’s recommendation will mean that authorities in EU states will be free to suspend the transfer of information to the US if there are data protection concerns.
The recommendation came after an Austrian campaigner brought a case against the Irish Data Protection Commissioner (DPC) to the High Court in Dublin.
“This finding, if confirmed by the court, would be a major step in limiting the legal options for US authorities to conduct mass surveillance on data held by EU companies, including EU subsidiaries of US companies,” Max Schrems said after the ruling.
Mr Schrems had asked the DPC to investigate Facebook’s European operations in Dublin, however the DPC declined this request because of a European directive from 2000.
It claimed the so-called Safe Harbour agreement ensured the US was compliant with adequate levels of data protection laws, and therefore an investigation was unnecessary.
The High Court referred the matter to the ECJ, leading to yesterday’s recommendation.
In his recommendation, Mr Bot said “the revelations about the practices of the United States’ intelligence services as regards the generalised surveillance of data transferred under the safe harbour scheme have shed light on certain insufficiencies” specific to the agreement.
“Indeed, the access of the United States’ intelligence services to the data transferred covers, in a comprehensive manner, all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security,” Mr Bot said.
“Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the Charter (of Fundamental Rights of the EU),” he said.
He further emphasised that the safe harbour scheme “does not contain appropriate guarantees for preventing mass and generalised access to the transferred data”.
Simon McGarr of Digital Rights Ireland, which was a party as an amicus to the case, said Safe Harbour was the primary method by which EU citizen’s data can be transferred to the US.
“If the court does strike down the Safe Harbour agreement, then there won’t be permission to transfer data from Europe to the US in the way that was the case until now,” he said.
“Once that happens we may see efforts redoubled to find a political solution between the EU and US. They may find a new agreement which has been in the process of negotiations for years, but it has yet to bear fruit. That may leap up the political agenda,” he said.
Mr McGarr said that there was now an onus to find a credible alternative to the safe harbour agreement, which had no independent oversight to ensure that European citizen’s data was being protected adequately.
He said the Irish Data Protection Commissioner will now be required to investigate more of the complaints it receives, instead of dismissing them by referring to the European directive.
What the ruling means for Ireland, Europe, and US tech multinationals
The ECJ’s advocate general Yves Bot declared that the rules governing how US companies handle the personal data of EU citizens are insufficient. These rules came under what is known as the Safe Harbour agreement. A European Directive from 2000 declared that the provisions under the Safe Harbour agreement gave adequate protection for citizens’ data.
That’s thanks to Edward Snowden, who revealed that US intelligence services were accessing personal data as part of its Prism scheme. Mr Bot described this level of surveillance as “mass, indiscriminate”, and “inherently disproportionate”. Safe Harbour is also self-regulating by the companies that signed up to the agreement — meaning there is no independent oversight to ensure that EU citizens’ data is safe.
Austrian campaigner Max Schrems asked the Irish Data Protection Commissioner to investigate Facebook’s Ireland offices to see if users’ data was being adequately protected.
Because Facebook’s Dublin office is its international headquarters — all users outside of North America are registered with this office and agreed to its terms and conditions. As it is in Ireland, it comes under the jurisdiction of the Irish DPC.
The DPC said it didn’t need to investigate his complaint. The DPC decided that because Facebook had signed up to Safe Harbour and, because the European Directive from 2000 deemed the agreement to adequately cover data protection, there was no need to investigate. Mr Schrems disagreed, and brought a case to the High Court in Dublin, which in turn referred it to the European Court of Justice. This led to yesterday’s opinion by its advocate general.
Mr Bot’s opinion is just that — it isn’t a binding decision and must be ruled on by the ECJ’s judges. In 80% of cases the judges follow the AG’s opinion and even surpass it in some cases.
Very. He said: “It is great to see that the advocate general has used this case to deliver a broad statement on data transfers to third countries and mass surveillance. This finding has also an important impact on the negotiations between the EU and the US regarding a new Safe Harbour system, as it must be now assured that the mass access of national security agencies to EU data transferred to the US needs to be definitely excluded.”
They’re not going to be too happy. As Mr Schrems said, this decision will have major commercial downsides for US tech companies. “If the Safe Harbour system is gone, it is very likely that the data protection authorities in the 28 EU member states will not allow data transfers to US companies that are subject to mass surveillance laws,” he said. “Companies that participate in US mass surveillance and provide, for example, cloud services within the EU and rely on data centres in the US may now have to invest in secure data centers within the European Union.”
It could mean that it will have to undertake a lot more work and follow through on more complaints. Yesterday, Mr Schrems said only 3.2% of all complaints received by current DPC Helen Dixon in 2014 led to a formal decision by the commissioner. Under previous DPC Billy Hawkes, rates were between 2% and 4%, and all other complaints were “informally resolved”. “What the DPC calls ‘informally resolved’ is in fact a euphemism for complaints that are simply not processed,” Mr Schrems said. “Citizens simply get an informal email by the DPC saying that their case is not dealt with, just like in this case on Prism.”
Digital Rights Ireland said that if the ECJ’s judges followed the advocate general’s decision, it would lead to a “culture change” at the DPC which will have to investigate more of the complaints it receives.