Facebook and other Internet giants could be barred from sending European citizens’ personal information to the US after the EU’s top court on Tuesday struck down a key transatlantic data deal in the wake of the Edward Snowden scandal.
The landmark verdict stemmed from a case lodged by Austrian law student Max Schrems, who challenged the “Safe Harbour” agreement between Washington and Brussels in 2000 on the grounds it did not properly protect European data.
The European Court of Justice said authorities in Ireland, where Schrems lodged the case, now have to decide whether transfers of data from Facebook’s European base to its HQ in the United States should be suspended outright.
“The message is clear — mass surveillance is not possible in Europe (and is) against fundamental rights,” Schrems, who turns 28 this month, told reporters at the court building in Luxembourg.
Snowden — the former National Security Agency whistleblower who in 2013 revealed a worldwide US surveillance programme harvesting the data, said Schrems had “changed the world for the better.”
“Europe’s high court just struck down a major law routinely abused for surveillance,” Snowden, who is wanted by the US and has been granted asylum in Russia, wrote on Twitter.
“Thank you Europe.”
Thousands of companies ranging from Google and Amazon to smaller businesses rely on Safe Harbour to transfer personal data — ranging from names, addresses and dates of birth to anything else they add to their profiles.
– Facebook urges action –
Facebook called for Washington and Brussels to sort out the situation urgently, insisting the case was “not about Facebook” and that it had done nothing wrong.
“It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security,” a Facebook spokeswoman said in an emailed statement to AFP.
Global companies routinely transfer the data from their European operations to their headquarters in the United States where their computer servers are based.
The EU said it had started negotiating a new Safe Harbour arrangement with the US before the verdict, but insisted that firms could keep sending personal information across the Atlantic in the meantime.
“We have already been working with the American authorities to make data transfers safer for European citizens. In the light of the ruling, we will continue this work towards a renewed and safe framework,” European Commission Vice President Frans Timmermans said.
Privacy campaigner Schrems was jubilant after the decision tweeting “Yay!” and saying the verdict was a “major blow for US global surveillance that heavily relies on private partners.”
The Austrian had argued that the 15-year-old Safe Harbour deal was too weak to guarantee the privacy of European residents following Snowden’s revelations.
He filed the case in Ireland where Facebook’s European headquarters are based but it was originally rejected and then passed to the ECJ.
The ECJ declared in a three-page ruling that the Safe Harbour deal was “invalid”.
– ‘Strong signal’ for rights –
The Irish authorities now have to decide whether transfer of data from Facebook’s European subscribers to the United States should be suspended “on the ground that that country does not afford an adequate level of protection of personal data,” the court said.
Ireland’s data protection commissioner said the case would be considered by the country’s high court “as soon as is practicable”.
The ruling has set up another clash over privacy rights between the United States and Europe, two years after the Snowden revelations of mass spying first caused alarm in Brussels.
Germany welcomed the EU Judgment, no surprise in a country where relations with Washington were badly strained when Snowden revealed the alleged tapping of Merkel’s mobile phone by US snoopers.
Germany’s justice minister Heiko Maas said the ruling was a “strong signal for fundamental rights protection in Europe,” adding that “those who offer products or services in the EU must adhere to EU data protection rights — no matter where the server is.”
There was no immediate reaction to the Judgment from Washington.
But last month the United States said an opinion by the EU court’s top legal counsel which reached similar conclusions was based on “inaccurate assertions”.