Austrian privacy activist Max Schrems has performed an important service to Irish and European consumers that deserves acknowledgment. Yesterday's ruling in his favour in the European Court of Justice (ECJ), on a clarification sought by the Irish High Court, in effect reprimands both Ireland's Data Protection Commissioner (DPC) and the European Commission for failing adequately to oversee and protect European standards of data protection against the attentions of US intelligence agencies.
“This judgment draws a clear line,” a delighted Mr Schrems said. “It clarifies that mass surveillance violates our fundamental rights.” The ruling also means that the DPC will have to revamp and upgrade its supervisory operations.
This is no academic or theoretical issue. The case was prompted by Edward Snowden's revelations about the US National Security Agency's Prism surveillance system which allowed it access enormous amounts of data from global tech companies. Mr Schrems sued Facebook through the Irish courts because the company uses Dublin as a hub for its users outside the US and Canada.
At issue was the 15-year-old Safe Harbour treaty which provided a framework for preferential data transfers from the EU to the US by companies like Facebook with assurances that EU data protection standards are not being breached. Specifically – and grossly inadequately – companies were required to self-certify that the data was protected to EU standards when, in fact, the US authorities, as the court made clear, were bound to disregard the protective rules laid down in the treaty where they conflicted with national security and law enforcement requirements.
The court found that the authorities’ access to the content of electronic communications compromised the fundamental right to respect for private life and ruled Safe Harbour invalid.
A scramble to agree new frameworks for preferential data transfers to replace Safe Harbour for 4,400 US firms currently using it is now under way, with many companies concerned that the ruling may hurt what they see as an essential element of their business. But, as Mr Schrems argues, the principles set out in the ECJ’s ruling will also apply to any new treaty frameworks for privileged data transfer which may prove very difficult to agree. Ultimately the US will have to accept that the EU demand for safeguards is not optional but court-mandated. The ruling is a spanner in the works of difficult transatlantic trade negotiations.
Business has to understand that it is now paying the price not for EU nitpicking, but for the US obsession with dragnet, mass data collection technology whose security value is dubious, and the failure of US legislators to set limits on the activities of its intelligence agencies.