The European Court has overruled an EC decision for the second time in two days, this time concluding that US snooping means EU data isn’t safe if transferred over there.
‘The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield’, reads the latest announcement. It refers to the protracted process of determining under what circumstances it’s OK for US internet giants to house personal data generated in Europe in their US-based servers.
This is the latest ruling in the long-running case brought by Austrian Facebook user Max Schrems, who isn’t happy with the way Facebook safeguards his personal data when moving it to the US from Ireland. A previous ruling, known as Schrems I, concluded that the US does offer adequate protections, but that was contested.
“Following the Schrems I judgment and the subsequent annulment by the referring court of the decision rejecting Mr Schrems’s complaint, the Irish supervisory authority asked Mr Schrems to reformulate his complaint,” says the court announcement. That resulted in Decision 2016/1250, which is what has just been overturned.
As ever, this legal stuff gets very arcane, very quickly, so we think it’s best to leave it to Schrems himself to summarise the implications of this ruling. “I am very happy about the judgment,” said Schrems. “It seems the Court has followed us in all aspects. This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.
“The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.
“This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws. You can’t blame the Court for saying the unavoidable – when shit hits the fan, you can’t blame the fan.”
Well said Max. There will presumably be various objections, obstructions and appeals from everyone unhappy with this ruling, but it seems sound. If the EU is charged with ensuring the security of its citizens’ personal data, how can it allow that data to be transferred to a place where that’s not possible?