It has been over two years since Edward Snowden leaked sensitive information about the way the NSA and other intelligence agencies were harvesting personal data and undertaking surveillance. The repercussions of the disclosures are still being felt and one of the biggest aftershocks was registered last week when the ECJ halted the flow of personal data from EU Facebook users to the US and gave the green light to national regulators to investigate others transferring data there.
Austrian Citizen and Facebook user Maximillian Schrems made the complaint that led to the proceedings before the ECJ. He was prompted by the Snowden disclosures to complain to the Irish Data Protection Commissioner about the transfer of data from Facebook's Irish servers to the US. It is common practice for large internet companies operating from the US to transfer data held on their users within the EU. He argued that Mr Snowden had revealed that his data was not sufficiently protected in the US.
The European Commission had previously tried to avoid such complaints with the Safe Harbour decision. This was supposed to ensure that the level of protection accorded to EU data transferred to the US was essentially equivalent to that guaranteed within the EU. The court found a number of flaws in the Safe Harbour decision. Notably, US authorities, including intelligence agencies, were not bound by the principles within it. The court also found that once the data was transferred to the US under the Safe Harbour decision, there was no way for citizens to access it and ensure that it was erased or rectified in accordance with the law. The court found that the permitting of US authorities to have unlimited access to personal data transferred from the EU compromised the right to privacy and that the lack of legal remedy to ensure data was lawfully processed violated the rule of law. Regulators, such as the Irish Data Protection Commissioner, were told they were not bound by Safe Harbour and must make their own investigations on US transfers. Transfer of data of Facebook's European subscribers to the US was suspended.
The coming weeks and months are likely to be very nervy times for tech giants like Facebook and Google as European regulators decide whether they can move data to the US from the EU and on what terms. The decision will likely bring unwelcome scrutiny over the way that these companies and US intelligence agencies operate. The case also provides an interesting example of European mistrust of the US in the post-Snowden era.