Earlier today the European Court of Justice (ECJ) made its ruling on the Max Schrems-Facebook case.
Max Schrems is the Austrian Student who brought a case against Facebook in Ireland which was rejected by the Irish Data Commissioner. The basis of his case revolved around how his personal data was handled by Facebook and the reason the Irish Data Protection Commissioner rejected his case was because it was bound by the Safe Harbor Agreement. Mr Schrems appealed the Irish Data commissioner’s findings at the High Court where Justice Hogan adjourned the case pending a reference to the ECJ.
Safe Harbor is an agreement drawn up between Europe and the US allowing the transfer of data on users between the two regions. As there are different rules dealing with data privacy on either side of the Atlantic, something had to be done to allow the transfer of data between Europe and the US. That something is Safe Harbor which is designed to take care of the different rules and legal frameworks in each jurisdiction, whilst also ensuring that any data transferred from Europe to the US is offered European standard protection.
The ECJ has ruled that the Safe Harbor agreement, which has existed for 15 years, did not remove a need for local privacy authorities to ensure US firms were adequately protecting user data. It also said that the ruling meant that Ireland’s Data Protection Commissioner now needs to decide if Facebook’s EU to US data transfers should be suspended. This ruling will affect many other US businesses that rely on using Safe Harbor as a means of moving information from Europe to the US. As more than 5000 US companies are using Safe Harbor the ECJ ruling is a game changer and new replacement measures will need to be put in place. This means that EU and the US will have to come to a new agreement.
On his website Max Schrems said “I very much welcome the judgement of the Court, which will hopefully be a milestone when it comes to online privacy. This judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights.”
“Reasonable legal redress must be possible. The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it.”
The Irish Data Protection Commissioner Helen Dixon said the court has “reiterated the fundamental importance attaching to the right of individuals to the protection of their personal data.” She also said the judgment will now be considered by the High Court and she has told the DPC’s legal team “to take whatever actions are necessary to bring the case back as soon as practicable before the Irish High Court”. The High Court is expected to deliver its judgement by late November or early December.