In a landmark ruling that will have far-reaching repercussions, Europe’s highest court has ruled that data sharing between the EU and US under the Safe Harbour framework is invalid.
In a David versus Goliath battle, an Austrian law student may topple the biggest EU-US data sharing deal when he gets his day in court in a couple of weeks’ time.
Max Schrems, who set up the Europe v Facebook group, alleges that Facebook violated the so-called safe harbour agreement which protects EU citizens’ privacy by transferring personal user data to the US National Security Agency (NSA).
The European Court of Justice (ECJ) will hear details of the case on 24 March.
Schrems first appealed to the Irish Data Protection Commissioner to investigate his claims. He was refused on the grounds that Facebook was signed up to the safe harbour agreement and so could transfer data to the US with impunity.
Under European data protection law, companies can only transfer consumer data out of the EU to countries where there is an “adequate” level of privacy protection. As the US does not meet this adequacy standard, the European Commission and the US authorities came up with a workaround and, in 2000, set up the voluntary safe harbour framework whereby companies promise to protect European citizens’ data.
These promises are enforced by the US Federal Trade Commission – but since the Snowden revelations, there has been doubt these promises are worth the paper they’re written on.