ECJ surveillance opinion: What it means for data protection and why it’s important
Your photos, order histories going back years, postings (and more) probably sit in large buildings in the US. A huge amount of information about European citizens is held in the United States, particularly by US tech companies.
For some, that has been a worry for a decade: Who can access that information in the US? Where does it go? What is it used for? Those concerns were brought into sharp focus by the revelations from Edward Snowden in 2013 of large scale mass surveillance by US intelligence agencies.
Individuals aren’t the only ones worried. Governments in Europe, where privacy is regulated much more closely than in the US, have also grown concerned. As a result, the Snowden revelations have cast a long shadow over transatlantic relations in relation to technology and privacy.
The latest development is the opinion by one of Europe’s most senior lawyers suggesting that the “US Safe Harbor” is invalid. The US Safe Harbor was negotiated over 15 years ago between the European Commission and the US, and is used by thousands of US businesses to enable them to receive information about EU citizens securely and legally.
The opinion was issued in relation to a case brought by Austrian privacy campaigner Max Schrems, in his long running campaign against Facebook and similar US technology companies. The opinion of Advocate General Yves Bot is significant, and much wider than many privacy campaigners were expecting. The key points are:
- the opinion states that the current US Safe Harbor is invalid and also suggests the enhanced Safe Harbor regime being negotiated with the US could also be invalid too;
- that second step was not widely anticipated;
- EU national data protection authorities should have “total independence”. So even if Safe Harbor was not invalid, national data protection authorities in the EU should still be able to review the use of Safe Harbor and suspend it on a country by country basis – defeating the ease of use that was one of the Safe Harbor’s great benefits;
- and organisations currently using Safe Harbor to justify sending personal information to the US should consider implementing alternatives. The uncertainty for business is that many of the alternatives businesses currently use, although not all, suffer from the same problems as Safe Harbor.
Importantly, the Advocate General’s opinion is not binding – it is influential only at this point. The European Court of Justice will consider that opinion when reaching its judgment on Schrems case. A final decision should follow in the next few months.