U.S. Data-Sharing Pact With EU Violates User Privacy, Court Says

     (CN) – The EU high court on Tuesday gutted the European Commission’s finding that U.S. data protection is adequate – and the U.S.-EU data-sharing pact – since the NSA spying scandal uncovered by whistleblower Edward Snowden has proven otherwise.
     Tuesday’s decision comes less than two weeks after the European Court of Justice’s adviser wrote a blistering advisory opinion for the court, in which he chastised the commission for blindly accepting that the “safe harbor” policy – a scheme between the United States and Europe in which businesses voluntarily promise to protect consumers’ personal data – offers an adequate level of protection for EU citizens’ data.
     The case involves Austrian national and privacy activist Maximillian Schrems, a Facebook user since 2008 who lodged a complaint with the Irish data-protection authority when he learned that Facebook Europe routinely transfers EU users’ data to U.S.-based servers. EU law allows for personal data transfers to third nations only where the European Commission finds the third nation’s controls are adequate.
     Schrems argued that revelations made by National Security Agency whistleblower Edward Snowden in 2013 showed that the United States’ laws and practices in fact meant his data was not safe from unwanted surveillance – in this case, by the United States government itself.
     The Irish authority rejected Schrems’ complaint in light of a 2000 finding by the commission that the safe harbor scheme offered the necessary “adequate” level of protection for legal transfers out of the EU.
     Schrems took his case to the High Court of Ireland, which asked the European Court of Justice to weigh in on whether national data-protection authorities can suspend data transfers to third nations on their own despite a commission finding of adequate protection in those nations.
     Taking its advocate general’s advice, the Luxembourg-based high court ruled that even where the commission makes a finding that a third nation’s data protections are adequate, national data-protection authorities have the constitutional power to challenge the commission’s finding before the European Court of Justice – the only entity that can invalidate a commission decision.
     And the high court also invalidated the commission’s finding that the safe harbor policy provides adequate consumer-data protection – a given since the commission itself had noted that the protections provided under safe harbor do not bar U.S. law enforcement and government authorities from accessing user data.
     “The commission found that the United States authorities were able to access the personal data transferred from the member states to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security,” the high court wrote in a 17-page opinion. “Also, the commission noted that the data subjects had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.”
     Such free-wheeling access and use of the personal data of EU citizens by government – and the lack of any way for citizens to challenge potential government access of their personal data – runs contrary to the EU constitution and cannot be considered adequate protection for the purpose of transferring data to servers in the United States, the court said.
     Furthermore, the commission’s decision regarding the safe harbor policy keeps member states’ data-protection authorities from exercising their powers to respond to citizens who don’t want their personal data sent to servers in the United States, the court found – a point that adds to the invalidity of the commission’s decision.
     Given that, the high court ordered the Irish data-protection authority to examine Schrems’ complaint and decide whether the transfer of data from Facebook Europe users to the United States should be suspended on the ground that users are not adequately protected.
     But the court’s opinion danced around the elephant in the room – Snowden’s revelations of mass surveillance by the NSA, not just on U.S. citizens but also on EU citizens, leaders and government offices.

%d bloggers like this: