A long-running legal battle between Facebook Ireland and Max Schrems, an Austrian privacy activist, has resulted in the European Court of Justice (ECJ) recommending that the passing of data between Facebook’s Irish and US headquarters is in breach of European data protection laws.
The case revolves around EU privacy directives that prevent the transfer of data to other regions if there’s not “adequate protection” in place to stop it being further shared. As the data was then transferred to the NSA, Schrem’s assertion was that there weren’t sufficient measures in place to protect data under the EU-US Safe Harbor framework.
In an opinion handed down by an Advocate General Yves Bot today, he said that the data sharing framework was “invalid” as data wasn’t sufficiently protected once it left Europe and US intelligence services had access to individual’s data regardless of whether they were a threat to national security.
“Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the Charter,” Bot decided.
The decision also says that “… the safe harbour scheme, as defined in Decision 2000/520, does not contain appropriate guarantees for preventing mass and generalized access to the transferred data.”
While this isn’t a legally binding decision, judges in the ECJ tend to follow the opinion of the Advocate General, according to Reuters.
If the court comes to the same conclusion, it could spell the end – or a massive overhaul – of data-sharing practices between Europe and the US.
➤ Maximillian Schrems v Data Protection Commissioner [InfoCuria – Case-law of the Court of Justice]