The Open Rights Group speaks of a ‘Landmark victory for Privacy rights’.
Like a bombshell, following the Advocat General Opinion, the ECJ decision this Tuesday 6 October 2015 held the Safe Harbor decision 2000 invalid. (C362-14)
Daniel Solove, amongst other commentators, gives a very clear background of the case.
in June 2013, the law PhD candidate and privacy advocate, Max Schrems*, asked the Irish Commissioner to prohibit Facebook from transfering his data To the U.S. after a data subject request showed the amount of personal data that was collected from his Facebook account, including some deleted posts. His action was blocked by the Irish DPC refusing to investigate the complaint, on the basis that Facebook was protected by the European Commission Decision 2000/520 which set out the Safe Harbor privacy principles. So then, Schrems challenged the Safe Harbor, basically a self-accreditation, adequacy to EU data protection rights. in October 2013, Schrems went to the High Court of Ireland based on Edward Snowden US mass surveillance revelations and the lack of adequacy of data protection in the U.S. On June 2014. The High Court concluded that to continue allowing authorities to “access electronic communications on a casual and generalised basis without any objective justification” contravenes Arts 7 and 8 of the European Charter of Fundamental Rights. It therefore stayed the case while asking the ECJ to determine the legality of the Commission decisions on Safe Harbor and the investigation right of DPC.
Ultimately, the ECJ conceded that Safe Harbor was unable to guarantee adequate data protection to European citizens.
The ECJ, following the Advocat General opinion, invalidated the safe Harbor protection explicitly in view of the NSA I discriminated surveillance revelations by Edward Snowden, and the U.S. Patriot Act giving the U.S. Intelligence agencies access to the data of EU citizens. It decided very clearly that Data Protection authorities, based on the Article 28 of Directive 95/46 must always have the possibility to investigate, with complete independence, a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred.
The level of adequacy has to be balanced according to ‘the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.‘
However the ECJ found that,’Safe Harbor allows Law enforcement to access data beyond what is strictly necessary and proportionate‘. The court also found that the lack of judicial review for European citizen represents a serious flow.
WP art29 states : ‘For several years, the Working Party has been studying the impact of mass surveillance on international transfers and has on several occasions presented its concerns.
Today’s Court judgment confirms that due to in particular the existence of mass surveillance and the absence of possibility for an individual to pursue legal remedies in order to have access and to obtain rectification or erasure, serious questions exist regarding the continuity of the level of data protection when data are transferred to the United-States.‘
What’s next? No panic says Eduardo Ustaran of Hunton & Williams whom, along with his colleague Stewart Room from PwC have been warning on recent stricter privacy requirements. What are the options? One is the costly BCR or Binding Corporate Rules, that have never had much success. Another is Model contract Clauses.
Would these agreements give a much higher level of protection against the U.S. Surveillance? It’s not guaranteed. The issue might come more from ‘political’ considerations than ‘legal’. Some, such as Jules Polonetsky from the Future of Privacy Forum, argue they will suffer from a lack of transparency. Max Dautlich from the law firm Pinsent Mason develops his view on how BCR will not be an adequate option either. Daniel Solove and few others have pointed out that the EU itself, be it the recent French surveillance laws or the UK GCHQ surveillance, does not necessarily insure real protection to data subjects.
An ex French Minister, Michel Kouchner, recognised all countries spy on each other and their mutual citizens; however the U.S. interception of communications is on a larger scale. As I was told on Twitter, most of the state surveillance ‘get lost on translation’. Although state surveillance is not a new idea. It is a necessity even in democratic countries, but the general and systematic interception of foreign communications makes it questionable. Whatever next should be protecting the fundamental right to privacy of every citizen, and that requires a significant change of law and practice of US surveillance.
ECJ Says Safe Harbor Is Not So Safe. Posted by Tara Taubman-Bassirian on October 8, 2015.
‘A milestone’ or a ‘historical’ decision cry the media around the world. It is like a deluge of comments and articles.
Max Schrems. Alternatives to Safe Harbor. Article 29 Working Party. List of companies that have signed Safe Harbor agreements. EU privacy court cases loom over EU-U.S. data transfer pact. Uncertainty over Privacy Shield as Facebook faces penalties. The future of the newly agreed to EU-U.S.
Privacy Shield framework is still up in the air this week. Since the agreement for privacy protection on transatlantic data flows was announced on Feb. 2, transfers using the old Safe Harbor mechanisms could be deemed illegal and subject to enforcement penalties on privacy grounds. But uncertainty remains, as details of the new framework have yet to be worked out. Some parts of the agreement are beginning to fall into place.
On the U.S. side, the Judicial Redress Act, which would give non-U.S. citizens access to U.S. courts for cases involving data privacy -- a key component of the Privacy Shield agreement -- awaits President Barack Obama's signature. Hamburg Data Protection Watchdog Fines International Companies For Illegal Data Transfers.
Microsoft US data. About the Safe Harbor.
Spanish ICO statement. Italy. Austria. Advocate General opinion. European Parliament. European Commision's statement. EDPS European Data Protection Supervisor. Comments in EurActiv. German DPA Enforcement. Swiss Agreement. Luxembourg Presidency. Comments by EDRI. Dutch DPA. Brazil. Data Protection after Schrems - an interview with Charles Maurice by LL210 Podcasts. Comments by Privacy International. Comments by EFF. FPF comments. Comments by Politico. Digital Europe Comment. Comments by Paul Bernal.
Microsoft on the issue. State Surveillance. CJEU Judgement. EU/US internet privacy. Top European Court Rules That NSA Spying Makes U.S. Unsafe For Data. The European Union no longer considers the United States a “safe harbor” for data because the National Security Agency surveillance exposed by whistleblower Edward Snowden “enables interference, by United States public authorities, with the fundamental rights of persons.”
The EU’s highest court, the Court of Justice, declared on Tuesday that an international commercial data-sharing agreement allowing U.S. companies free-flowing access to large amounts of European citizens’ data was no longer valid. As Snowden revealed in 2013, the NSA has been interpreting section 702 of the Foreign Intelligence Surveillance Act as giving it license to intercept Internet and telephone communications in and out of the U.S. on a massive scale. That is known as “Upstream” collection. The NSA is not required to demonstrate probable cause of a crime before a court or judge before examining the data. The ruling was seen as posing a major obstacle for U.S.
What’s not yet clear is what they can do about it. Safe Harbour: Key Aspects of the ECJ Ruling. Public Affairs 2.0 » Internet Commerce is put in question by today’s European Court of Justice ruling. October 6, 2015 What this will mean for both US and EU companies Today thousands of potential jobs, billions in revenues and any cooperation such as medical research is put into question in a landmark decision by the Court of Justice of the European Union (CJEU) in Luxembourg.
L’actualité du droit des nouvelles technologies. The Critical Periphery in the Growth of Social Protests. Abstract Social media have provided instrumental means of communication in many recent political protests.
Academy of European Law > International Data Transfers after the Invalidation of the Safe Harbour Decision. Objective.
See how Google modifies the results for a #safeharbor search. The @Gizmondo article is good. Making Privacy a Reality: The Safe Harbor Judgment and Its Consequences for US Surveillance Reform. Earlier this month, the Grand Chamber of the Court of Justice of the European Union (CJEU) issued its judgment in Schrems v.
Data Protection Commissioner, in which it struck down the legal underpinnings of the EU-US Safe Harbor Agreement—the arrangement that enabled thousands of US companies to transfer EU users’ data to the US for processing and storage. Although the Court’s decision to invalidate the basis for Safe Harbor has placed a serious burden on transatlantic trade, the judgment makes clear and persuasive findings about the protections EU residents’ data must enjoy when transferred to the US. In doing so, it has provided a major impetus for reforms to Section 702 of the Foreign Intelligence Surveillance Act (FISA) — a law the NSA uses as the basis for some of the most egregious warrantless surveillance activities revealed by Edward Snowden, including PRISM and “upstream” collection. Naturally, the CJEU cannot strike down US laws, nor did it seek to do so.
BREAKING: ECtHR finds Russian surveillance system violates Art .8; risk of abuse high when States have direct access. Untitled. On February 5, 2016, Article 29 Working Party member and head of the Hamburg Data Protection Authority, Prof.
Dr. Johannes Caspar, spoke about the EU-US Privacy Shield. Privacy before Profit: European Court of Justice Rules “Safe Harbor” is invalid. Open Rights Group welcomes CJEU Safe Harbor ruling. Congratulations, @MaxSchrems. You've changed the world for the better. Judgment date now set in Schrems EU Safe Harbor Case. We reported in an article and video last week here and in a podcast today here on the Schrems case against Facebook.
Today sees more developments in this case. Data Privacy eBulletin. The European Court of Justice (CJEU) has today ruled that the EU-US ‘safe harbor’ regime is invalid.
Companies relying on safe harbor registration to transfer personal data from Europe to the US will need to adopt alternative processes or risk non-compliance with the European Data Protection Directive 1995. The decision has drawn criticism from some commentators for creating huge uncertainty, risk and cost for businesses, whilst others have welcomed the outcome as a strengthening of the privacy protections of European citizens from being subjected to mass state surveillance. US and EU Should Act Swiftly to Establish New Privacy Protections to Avoid Long-Term Digital Trade Disruption. WASHINGTON—Daniel Castro, vice president of the Information Technology and Innovation Foundation (ITIF), released the following statement in response to the European Court of Justice decision to strike down the U.S.
-EU Safe Harbor Framework: Sign Up. Facebook told by Belgian court to stop tracking non-users. Image copyright Getty Images A court has given Facebook 48 hours to stop tracking people in Belgium who are not members of its social network. Facebook says it will appeal against the decision and that the order relates to a cookie it has used for five years. The cookie is installed when an internet user visits a Facebook page even if they are not members. However, the Belgian court said that the company was obliged to obtain consent to collect the information being gathered. "The judge ruled that this is personal data, which Facebook can only use if the internet user expressly gives their consent, as Belgian privacy law dictates," it said in a statement. If Facebook fails to comply, it could face a fine of up to 250,000 euros (£180,000) per day.
Privacy. Recorded events.