Safe harbor: abusive data collection and mass surveillance repealed by the European Court of Justice!
Paris, 6 October 2015 — By a decision published this morning, the Court of Justice of the European Union (CJEU), the highest European jurisdiction, repealed the Safe Harbor agreement. This agreement in effect since 2000, allows data transfers between Europe and the United States under different versions, authorised the processing of European citizens' data by US companies, with fewer guarantees than those existing in Europe. Max Schrems, an Austrian citizen, has put Facebook on trial since the monitoring by the NSA of his data hosted by Facebook had an impact on his freedom and privacy. The CJEU today confirmed his viewpoint by invalidating the Safe Harbor and held that the European Commission abused its power by approving it. The CJEU also affirmed that a local data protection authority may dissent a European agreement if guarantees granted to citizens were modified.
This is a landmark ruling! By recognising that the surveillance led by the NSA on personal data hosted in the US was prejudicing EU citizens, the CJEU upholds what Human Rights organisations and MEPs were calling for: conditions surrounding the transfer of personal data must be revised, in the light of legislations regarding surveillance and the practices that Edward Snowden has unveiled. By repealing the Safe Harbor and by allowing regulatory authorities to scrutinize individual's requests against data transfer, a stark signal is sent to the European Commission which is currently renegotiating this Safe Harbor agreement, but also to the governments implementing mass surveillance programmes. These programmes are indeed acknowledged as interfering with basic freedoms, as soon as they enable collecting and saving data1 (without having to prove that surveillance has been effective).
La Quadrature du Net welcomes this courageous decision, and calls for a wider application of its principles in other ongoing legislative files dealing with personal data and surveillance, such as:
- the recent French Surveillance law and the French International Surveillance law which is under consideration in the upper chamber: what will happen to French businesses hosting personal data from citizen worldwide, as monitoring by intelligence agencies on metadata and personal data has been declared incompatible with fundamental rights? What will happen to the laws on intelligence and international surveillance as they infringe freedoms and rights
- The European regulation on data protection, currently under trialogue negotiations at the European level: the institutions involved (European Parliament, European Commission and Council of the European Union) should consider this question and improve the level of protection for European citizens personal data. This means the prohibition of data processing implying mass surveillance, and the control of the undue power granted to companies (in terms of data processing) through the concept of "legitimate interest".
- The renegotiation of the Safe Harbor, started after the European Parliament's resolution asking for its suspension in April 2014: the issue with the surveillance put in place by the US authorities with the collaboration of large corporations shall not be ignored and EU citizen's rights will have to be protected.
"The CJEU sent a clear message, following its 2014 judgement on data retention: no less than twice in 18 months did it affirm that data collection and retention towards surveillance is contrary to fundamental rights. We ask all French and European representatives to draw the necessary conclusions and work towards protection of citizens within the EU, especially by invalidating monitoring laws currently under consideration in many European countries, and notably in France", declared Adrienne Charmet, campaign coordinator for La Quadrature du Net.
See the recitals of the ruling:
- 33. The High Court held that the mass and undifferentiated accessing of personal data is clearly contrary to the principle of proportionality and the fundamental values protected by the Irish Constitution. In order for interception of electronic communications to be regarded as consistent with the Irish Constitution, it would be necessary to demonstrate that the interception is targeted, that the surveillance of certain persons or groups of persons is objectively justified in the interests of national security or the suppression of crime and that there are appropriate and verifiable safeguards. Thus, according to the High Court, if the main proceedings were to be disposed of on the basis of Irish law alone, it would then have to be found that, given the existence of a serious doubt as to whether the United States ensures an adequate level of protection of personal data, the Commissioner should have proceeded to investigate the matters raised by Mr Schrems in his complaint and that the Commissioner was wrong in rejecting the complaint.
- 92. Furthermore and above all, protection of the fundamental right to respect for private life at EU level requires exemptions and limitations in relation to the protection of personal data to apply only in so far as is strictly necessary (judgement in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 52 and the case-law cited).
- 93. Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of access by public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail (see, to this effect, concerning Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, p. 54), judgement in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraphs 57 to 61).