The European Court of Justice may have put an end to a deal that had the effect of allowing US spy officials to look in on people's private Facebook data.
An Austrian privacy campaigner called Max Schrems successfully challenged the Safe Harbour treaty, which controls the way that data is moved from Europe to the US. The ECJ said that the agreement did not stop local regulators' duty to ensure that their citizens' data was being adequately protected.
It found that legislation allowing the authorities access to the content of electronic communications compromised the fundamental right to respect for private life.
The Irish regulator that oversees Facebook will now have to decide whether Facebook's transfer of data from the EU to the US should now be stopped. The Irish Data Protection Commissioner rejected the case earlier on the grounds that the Safe Harbour treaty had enough protections — but Schrems appealed that decision and the European court found the protections were invalid.
The court ruling, which follows an initial legal opinion last month, has been welcomed by privacy and data campaigners including the Open Rights Group.
Executive director, Jim Killock said: “In the face of the Snowden revelations, it is clear that Safe Harbour is not worth the paper its written on. We need a new agreement that will protect EU citizens from mass surveillance by the NSA.”
Mr Schrems's legal battle over Safe Harbour was sparked by Edward Snowden's revelations over the US National Security Agency (NSA)'s Prism surveillance system which allowed spies to access enormous amounts of data from global tech companies.
He initially brought a lawsuit in Ireland after failing to secure an investigation into Facebook by the country's Data Protection Commission, which has the authority to audit the social media giant.
Mr Schrems claimed Ireland's data watchdog had an onus to uncover what information Facebook held on users and ultimately what was being transferred to the US under Safe Harbour and being accessed through Prism.
The case was brought in Dublin as every Facebook user outside the US and Canada has a contract with Facebook Ireland. It was later transferred to the European court.
Facebook said that the case was "not about Facebook". "The Advocate General himself said that Facebook has done nothing wrong," a spokesperson said.
"“What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows. Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbor.
“It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security."
Some have claimed that the ruling may make it difficult for other big US businesses. Mark Thompson, privacy lead at consultancy KPMG, warned that any new regulation of big data could have a "very significant" financial and practical impact on major technology firms operating in the EU.
"There is a risk that if rules around data transfers aren’t handled pragmatically this will result into a restriction on the flow of personal information across global organisations which could have a detrimental impact on their business models," he said. "This could potentially impact global trade as organisations would likely be required to re-structure business functions, outsourcing arrangements, business partnerships and re-locate IT assets to ensure processing of personal information does not take place inside the USA. For global organisations this would be a substantial undertaking and the associated costs and practicalities involved could be very significant."
Today's judgment said that national security, public interest and law enforcement requirements of the United States prevail over the Safe Harbour scheme, so that US undertakings are bound to disregard the protective rules laid down by that scheme where they conflict with such requirements.
"The United States Safe Harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the (Data Protection) Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference."
It added: "This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems' complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook's European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data."
The court said the US authorities were able to access the personal data transferred from EU member states to the US and process it in a way incompatible with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security.
"Also, the Commission noted that the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased."
The court added that legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as "compromising the essence of the fundamental right to respect for private life".
"Likewise, the court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.
"Finally, the court finds that the Safe Harbour decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals.
"The Court holds that the Commission did not have competence to restrict the national supervisory authorities' powers in that way."
Liberal Democrat MEP Catherine Bearder, who has called for greater scrutiny of large tech firms, said: "This is a historic victory against indiscriminate snooping by intelligence agencies, both at home and abroad.
"In a globalised world, only a strong and binding international framework will ensure our citizens' personal data is secure. Being part of the EU means we can fight for strong safeguards that protect UK citizens' freedom and privacy.'"
Additional reporting by agenciesReuse content