:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/LQUYRUOU6VW3ZEPFUDBOAAUTMY.jpg)
:quality(70)/s3.amazonaws.com/arc-authors/irishtimes/5fed9ec9-e0d2-4b29-898a-83fc9bc5d78e.png)
Luxembourg is such a small country, there’s not even room for empty promises. That’s the last advertising slogan a small army of lawyers from Ireland saw when they flew home this week after hearings at the European Court of Justice (ECJ). It also sums up nicely Tuesday’s proceedings at the EU’s highest court.
The court was hearing a referral from the High Court in Dublin on the issue of “Safe Harbour”, EU provisions created in 2000 to simplify the transfer of user data to destinations outside the union. If non-EU companies collecting user data undertake to uphold an “adequate” level of protection for this data, the European Commission is happy to wave it through.
On Tuesday, ECJ judges exposed Safe Harbour for what it has always been: a 15-year-old empty promise. This is not in itself news. Dogs in the street have been barking for years that it was an uneasy compromise, more fiction than fact. But on Tuesday, with surgical precision, the EU judiciary forced the EU executive to agree that Safe Harbour is an emperor with no clothes. Not only that, the world has moved on significantly since Safe Harbour was agreed in 2000.
The 9/11 attacks changed fundamentally how the US views its domestic and international intelligence. All data is potentially valuable in its objective to protect the “homeland” in the so-called war on terror. In this endeavour, US intelligence agencies view social networks and smart phones of ordinary people as legitimate targets. Such platforms and phones – even smart appliances – were still ahead of us in 2000, but today are as unremarkable as the masses of revealing data they generate.
Whether you are organising a coup via Gmail or posting on Facebook pictures of cats that look like Hitler, the National Security Agency (NSA) wants to know. Whistleblower Edward Snowden alleges that all of this data finds its way into the NSA’s “Prism” servers. But Europe has also changed since 2000, adopting a Charter of Fundamental Rights which – after declaring human life inviolable and outlawing torture and slavery – guarantees citizens in article 8 “the right to the protection of personal data concerning him or her”.
On Tuesday afternoon, under cross-examination by ECJ judges, European Commission counsel admitted they could not guarantee this right to privacy for EU data exported to the US under Safe Harbour.
Transa
tlantic trade-off In a transatlantic trade-off, US intelligence concerns will trump the EU fundamental right to privacy every time – and the commission is unsure if or when they can change this.
So what, the court asked, should a concerned citizen do if they think Facebook is infringing their privacy rights and the commission is not on the case? The answer: delete your Facebook account.
Max Schrems, the Austrian campaigner who filed the original Facebook complaint, could barely contain his amazement. It’s not every day, his counsel noted, you hear the EU executive abdicate its responsibility for fundamental rights before the EU’s highest court.
For them, the gravity of the situation is clear: US intelligence operates a massive data dragnet that pulls in EU citizens’ private data. The US has no privacy laws to prevent this happening, nor is it interested in stopping it – particularly not because of EU laws or sensitivities. If the European Commission continues peddling empty promises on privacy, the Schrems team argued, it’s time for the ECJ to intervene. The commission warned against this and, backed by the UK, said that cancelling Safe Harbour could have serious consequences for transatlantic trade and the single market.
Counsel for Schrems and several other EU countries present sounded less concerned. Data flows to the US would not be capped by striking out Safe Habour. But some 2,000 companies, including those who allegedly allow NSA access to their users’ data, would lose their privileged status. Europe would be a level playing field for all data-collecting non-EU companies.
But perception counts and, if Washington believes US companies will face a trading disadvantage without Safe Harbour, they will make their displeasure known in Brussels. Previous concerns about Snowden allegations have been silenced. Commission officials are on orders from the top to eliminate any banana skins to negotiations on a transatlantic free trade agreement (TTIP).
Looming regulation
With Washington already unhappy that the EU’s looming data rules will complicate life for its companies, the commission fears that losing Safe Harbour could be the straw that breaks TTIP’s back. ECJ judges have to decide whether the charges are grave enough to warrant an intervention from them, or if the commission has earned a chance to put things right.
Ireland is not on trial in Luxembourg, but official attitudes to privacy are. Ireland is the European home of Facebook yet, in this case, Facebook’s regulator – the Irish Data Protection Commissioner – has consistently deferred to the European Commission, saying it has no leading role.
The commission agrees, but several other parties had their doubts. One ECJ judge suggested it was unusual to hear claims of a body understepping rather than overstepping its competences.
The case dismissed by the Irish Data Protection Commissioner as “frivolous” was dubbed a “case of great principle” by the ECJ. Its verdict on June 24th will be fundamental in defining both European privacy in the 21st century and the uneasy relationship – in Ireland and around the EU – between free trade and fundamental rights.
Derek Scally is Berlin Correspondent