Paris, 6 October 2015 — By a decision published this morning, the Court of Justice of the European Union (CJEU), the highest European jurisdiction, repealed the Safe Harbor agreement. This agreement in effect since 2000, allows data transfers between Europe and the United States under different versions, authorised the processing of European citizens’ data by US companies, with fewer guarantees than those existing in Europe. Max Schrems, an Austrian citizen, has put Facebook on trial since the monitoring by the NSA of his data hosted by Facebook had an impact on his freedom and privacy. The CJEU today confirmed his viewpoint by invalidating the Safe Harbor and held that the European Commission abused its power by approving it. The CJEU also affirmed that a local data protection authority may dissent a European agreement if guarantees granted to citizens were modified.
This is a landmark ruling! By recognising that the surveillance led by the NSA on personal data hosted in the US was prejudicing EU citizens, the CJEU upholds what Human Rights organisations and MEPs were calling for: conditions surrounding the transfer of personal data must be revised, in the light of legislations regarding surveillance and the practices that Edward Snowden has unveiled. By repealing the Safe Harbor and by allowing regulatory authorities to scrutinize individual’s requests against data transfer, a stark signal is sent to the European Commission which is currently renegotiating this Safe Harbor agreement, but also to the governments implementing mass surveillance programmes. These programmes are indeed acknowledged as interfering with basic freedoms, as soon as they enable collecting and saving data1
See the recitals of the ruling:
(without having to prove that surveillance has been effective).
La Quadrature du Net welcomes this courageous decision, and calls for a wider application of its principles in other ongoing legislative files dealing with personal data and surveillance, such as:
- the recent French Surveillance law and the French International Surveillance law which is under consideration in the upper chamber: what will happen to French businesses hosting personal data from citizen worldwide, as monitoring by intelligence agencies on metadata and personal data has been declared incompatible with fundamental rights? What will happen to the laws on intelligence and international surveillance as they infringe freedoms and rights
- The European regulation on data protection, currently under trialogue negotiations at the European level: the institutions involved (European Parliament, European Commission and Council of the European Union) should consider this question and improve the level of protection for European citizens personal data. This means the prohibition of data processing implying mass surveillance, and the control of the undue power granted to companies (in terms of data processing) through the concept of “legitimate interest”.
- The renegotiation of the Safe Harbor, started after the European Parliament’s resolution asking for its suspension in April 2014: the issue with the surveillance put in place by the US authorities with the collaboration of large corporations shall not be ignored and EU citizen’s rights will have to be protected.
“The CJEU sent a clear message, following its 2014 judgement on data retention: no less than twice in 18 months did it affirm that data collection and retention towards surveillance is contrary to fundamental rights. We ask all French and European representatives to draw the necessary conclusions and work towards protection of citizens within the EU, especially by invalidating monitoring laws currently under consideration in many European countries, and notably in France”, declared Adrienne Charmet, campaign coordinator for La Quadrature du Net.
See the recitals of the ruling: