The agreement signed in 2000 is now without effect after a challenge by an Austrian citizen.
The Court of Justice of the European Union just invalidate the agreement between the EU and Washington which since 2000 has enabled hundreds of companies, multinationals such as Facebook, Apple and Amazon, to store and process, in the United States, the personal data of their customers.
The judgment comes a tremendous blow to the European Commission, as the agreement only affected companies, and not the public authorities of this countries. EU authorities have closed their eyes when complaints surfaced about the program of massive spying that was discovered and exposed by whistleblowers that reveal Washington’s involvement.
The sentence is a real earthquake for US technology companies and those that have their business on the Internet, with millions of customer data installed in a ‘cloud’ somewhere in the United States.
Data transfers made in the last 15 years have been made without sufficient guarantees, with a legal framework that is now overruled by the European Justice Court.
The case in which the European judgment is based was initiated by the Austrian citizen Max Scherms following the revelations made by Edward Snowden, the former National Security Agency analyst who is now a political refugee in Moscow.
A Facebook user since 2008, Schrems filed a complaint against this social network on the supervisory authority of personal data of Ireland, the country where the organization has its European headquarters.
At first, his claim was rejected because the Irish authorities considered that the exchange of information was covered by the agreement ‘safe harbor’, which represents the United States guarantees an adequate level of protection for personal data transferred across the Atlantic.
The complainant was not discouraged and sent the case to the Supreme Court of Ireland, which is the one that has ended up requesting the European judicial authorities to study whether the agreement actually prevents European countries “from investigating a complaint alleging that a third country does not ensure an adequate level of protection and, where necessary, to suspend the transfer of data reported” has said the European Court.
European judges have concluded, first, that the existence of this agreement does not undermine the powers of action by national data protection authorities, and that it does not prevent them from controlling transfers of data to third countries or if those transfers have met or not the requirements contained in the European directive on data protection.
Ultimately, however, only “the Court of Justice of the EU can decide whether a decision of the European Commission that declared the transmission of data to a third country is safe or not,” the sentence indicates.
At this point, what the European judges have examined following a complaint from Schrems is the decision of the European Commission to enable the transfer of data to the United States since July 2000.
This institution, wrote the judges, must determine whether that country offered “a level of protection of fundamental rights that is substantially equivalent to those in the Union”. But the court “did not conduct this test” and “merely analyzed the ‘Safe Harbor’ agreement.
In reality, this agreement applies only to companies that have acceded to it but that are not subjected to U.S. public authorities.
“In addition, the demands of national security, public interest and compliance with U.S. law prevails over the ‘Safe Harbor’ agreement,” says the statement, so the authorities of this country “are required to cease applying it without limited protection rules when they conflict with these considerations.”
The scheme allows, in short, the “interference of U.S. public authorities in the fundamental rights of individuals” without any rules intended to limit them or effective legal protection against them.
In addition, authorization to maintain without limits or exceptions personal data of Europeans in America, “damages the essential content of the fundamental right to respect for private life”. The Court concludes that the agreement also sees violated “the fundamental right to effective judicial protections” as there is no possibility of exercising defense actions for correction or deletion of personal data.
For all these reasons, the Court of Justice of the EU has declared “invalid” the decision of the Commission in 2000 and has ordered the data protection authorities of Ireland to conduct an investigation into the case reported by Schrems.
“At the end of their investigation, they must decide whether the directive of the transfer of data from Facebook users should be discontinued in the United States because that country does not offer an adequate level of protection of personal data.”
This sentence does not mean that the spying will stop, even if the investigation explicitly decides to suspend the practice contained in the agreement. After learning about the conclusions reached by the EU Court, the U.S. government contacted the EU Commission to start negotiating an alternative.
The leaders of the EU Executive will make an official statement on the consequences of the judgment early in the afternoon.