Legal Business Blogs

Austrian law student’s case against Facebook results in landmark ECJ decision to scrap safe harbour regime

An Austrian law student has won a legal challenge over the US safe harbour scheme, in a decision which will impact some 4,000 US companies which transferred personal information across the Atlantic.

Maximilian Schrems, a student living in Ireland, has succeeded in his legal challenge against Facebook’s ability for US companies to transfer personal data to the US after the European Court of Justice decided that the US ‘does not afford an adequate level of protection of personal data.’

Schrems instructed Gerard Rudden, a partner who had previously specialised in landlord and tenancy disputes at Dublin law firm Ahern Rudden, to bring the case.

Rudden told Legal Business when he initially spoke to Schrems about the case, it appeared to be a vital issue which required judicial intervention.

‘The fact that the European Court of Justice has held overwhelmingly in favour of Schrems is very satisfying and shows that one person, with legal representation, despite not insignificant obstacles, can make a difference,’ Rudden said. 

The case, brought before Ireland’s Data Protection Commissioner before being escalated to European’s highest court, declares the safe harbour scheme that allowed Facebook and over 4,000 other US companies to transfer personal information across the Atlantic invalid.

The Data Protection Commissioner was represented by barrister Paul Anthony McDermott, while joined party and lobby group Digital Rights Ireland was represented by barrister Fergal Crehan and Simon McGarr of McGarr Solicitors. 

Facebook user Schrems filed the case over his personal privacy following the revelations made by whistle-blower Edward Snowden that the US National Security Agency was routinely intercepting email, social media and telephone communications.  

The decision will have a far-reaching implications across the European Union and ends 15 years of the ‘safe harbour’ scheme. The decision allows national regulators to suspend data transfers to the US, instead of letting exchanges of information go unexamined.

Schrems said: ‘I very much welcome the judgment of the Court, which will hopefully be a milestone when it comes to online privacy. This judgment draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible.’

He added: ‘The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it. This decision is a major blow for US global surveillance that heavily relies on private partners. The judgment makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights.’

The Court declared that ‘legislation permitting the public authorities to have access on a generalised basis to electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life’ and declared the safe harbour regime ‘invalid’.

The court found the regime denied national authorities their powers to protect the privacy and fundamental rights and freedom of individuals.

Hogan Lovells European head of data protection Eduardo Ustaran warned the decision ‘leaves any organisation that relied upon Safe Harbour exposed to claims that transfers of personal data from the EU to the US are unlawful, unless they fit within one of the legal exemptions or are authorised by data protection authorities’. He added that multinational companies ‘will need to rethink how they operate’.

Covington & Burling special counsel Monika Kuschewsky, argues that ‘the EU’s highest court has pulled the rug under the feet of thousands of companies that have been relying on safe harbour’.

She added: ‘All these companies are now forced to find an alternative mechanism for their data transfers to the US, basically overnight, as the court has declared the Commission Decision on safe harbour invalid without providing for any transitional period.’

For more on the 2015 data protection landscape, see our earlier guest post by PwC’s Stewart Room: New year, new privacy and security strategy’ here.