Courage our network

EU’s highest court rules data sharing agreement with US illegal

Today the European Court of Justice (ECJ) ruled on a complaint brought by Max Schrems, a 27-year-old graduate student, in response to Edward Snowden’s revelations. Schrems had argued that Facebook’s cooperation with the PRISM programme revealed by Edward Snowden meant that it was not adequately protecting the data of its European customers.

Max Schrems

In theory, Europeans enjoy greater legal protections for their personal information than their US counterparts. Until now, the treatment of European citizens’ data by US social media companies has been governed by a so-called safe harbour agreement, drawn up by the executive branch of the EU, the European Commission. This safe harbour offers US companies immunity from the enforcement of European privacy laws as long as they make a voluntary commitment to protect personal information to a particular standard.

It is this safe harbour agreement that the ECJ has now ruled illegal – on the basis that US companies’ cooperation with PRISM means their treatment of EU persons’ data in fact falls below the expected standard:

legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.

What does the judgment mean in practice?

The judgment means that US companies need to ensure that European data protection laws apply to the treatment of their European customers’ data. Due to the existence programmes like PRISM, that means that, formally, Europeans’ data might not be able to leave the EU at all.

While companies of the size of Facebook or Google already have local data centres, the logistics of the judgement could prove difficult for smaller companies. And it’s far from certain that storing customers’ data in national silos would do much to protect users’ privacy anyway.

More realistically, the judgment forces local data authorities to investigate what US companies are doing with their citizens’ data, concerns that had previously been waved through because of the safe harbour agreement. Max Schrems’ complaint to the data protection commissioner in Ireland – where Facebook’s European operations are based – will now have to be taken much more seriously (it was initially dismissed for being “frivolous and vexatious“.

Finally, the judgement puts pressure on EU and US negotiators to find a replacement to the safe harbour agreement. That’s proven to be a hugely fraught process ever since the start of Edward Snowden’s revelations more than two years ago. The European Commission, for its part, has given a brief response to the ECJ judgment – the second to tear down one of its data protection instruments post-Snowden – but that response does not tackle the fundamental issue of US surveillance laws’ compatibility with European civil liberties.


Edward Snowden has given his reaction to the ruling on twitter: