HackDig : Dig high-quality web security articles for hacker

ECJ throws doubt on the future of EU-US Safe Harbour

2015-09-23 21:30
ECJ throws doubt on the future of EU-US Safe Harbour

Posted by on September 23, 2015.

The European Union — let’s just say ‘Europe’ — is a strange and undemocratic place. It has an elected European Parliament that has zero power; and an unelected European Commission that wields all the power and does what the hell it wants (usually as directed by big business lobbying). Even, as we shall see, even to the extent of breaking its own laws.

ecThe EC and Safe Harbour
Since Snowden’s revelations, particularly with reference to PRISM, just about every European citizen knows that US internet companies break the European data protection laws when they ship user data to servers in the US. This is self-evident and blatantly obvious. Indeed the elected European Parliament passed a resolution to that effect back in March 2014:

40. Calls on the Commission to present measures providing for the immediate suspension of Commission Decision 2000/520/EC, which declared the adequacy of the Safe Harbour privacy principles, and of the related FAQs issued by the US Department of Commerce; calls on the US authorities, therefore, to put forward a proposal for a new framework for transfers of personal data from the EU to the US which meets Union law data protection requirements and provides for the required adequate level of protection;

41. Calls on Member States’ competent authorities, in particular the data protection authorities, to make use of their existing powers and immediately suspend data flows to any organisation that has self-certified its adherence to the US Safe Harbour Principles, and to require that such data flows are only carried out under other instruments and provided they contain the necessary safeguards and guarantees with respect to the protection of the privacy and fundamental rights and freedoms of individuals;…

But the unelected European Commission has consistently ignored the Parliament and maintained its own position (Commission Decision 2000/520/EC,) that the Safe Harbour is good and legal. It isn’t and cannot be. Data protection laws prohibit the collector of personal information from giving that data to a third party. But US companies must give that data to the US government under the NSA’s PRISM program; and Snowden has demonstrated that they do. Therefore they are in breach of European law. Safe Harbor self-evidently is not good or legal.

But the Commission doesn’t care because it does whatever the hell it wants. To a point. There is one institution it cannot ignore — the highest court in the Union: the European Court of Justice (ECJ).

Max Schrems and Safe Harbour
Enter European urban hero #1: Max Schrems. He has been fighting Facebook for years. It started with simply trying to get hold of the data Facebook holds on him — but slowly escalated into a court challenge against Facebook’s expatriation of his personal data to the US. That case was held in Ireland. Ireland is a tax haven used by many large companies to avoid taxation in other European countries. Those companies register their European head office (sometimes their entire non-US headquarters) in that country — and it ws there that Max Schrems had to initiate his case.

The Irish court decided that since the Commission had declared Safe Harbour to be good and legal it had no option but to declare Facebook’s practices as good and legal. But to its credit, it asked the ECJ if there was any other option it could take.

ECJThe ECJ and Safe Harbour
So the ECJ has been considering the legality of Commission Decision 2000/520/EC. And today we have had the first indication of the likely outcome. The ECJ’s Advocate General Yves Bot has published his opinion (the TLDR version can be found here in a press release). Now, the AG’s opinion is not constitutionally binding on the full ECJ ruling — but it’s unheard of for the court to disagree with the AG.

Given such a finding of infringements of the fundamental rights of citizens of the Union, according to the Advocate General the Commission ought to have suspended the application of the decision, even though it is currently conducting negotiations with the United States in order to put an end to the shortcomings found. The Advocate General indeed observes that, if the Commission decided to enter into negotiations with the United States, that is because it considered beforehand that the level of protection ensured by that third country, under the safe harbour scheme, was no longer adequate and that the decision adopted in 2000 was no longer adapted to the reality of the situation.

In short, the ECJ is will almost certainly declare Commission Decision 2000/520/EC to be in contravention of the European Data Protection Directive and therefore invalid and unconstitutional. It will be struck down. Safe Harbour itself will be invalid.

The future of Safe Harbour
Jan Philipp Albrecht, the European Parliament’s rapporteur/draftsperson on the reform of EU data protection rules, is unequivocal:

Jan Philipp Albrecht, Green MEP

Jan Philipp Albrecht, Green MEP

The advocate general has today made clear that the transfer of EU citizens’ private data to the US by Facebook is at odds with EU law. This welcome finding must provoke an immediate response by the relevant authorities in Europe. The Irish data protection commissioner must immediately move to prevent any further data transfers to the US by Facebook, which operates under Irish jurisdiction. The finding also confirms the position of the European Parliament, which has already called for ‘Safe Harbor’ to be suspended. It is unacceptable that the European Commission has ignored this demand for a year and a half. It is now time for the Commission to finally suspend ‘Safe Harbor’.

Let’s see the EC wriggle out of this one!

Share This:

Source: /ruobrah-efas-su-ue-fo-erutuf-eht-no-tbuod-sworht-jce/90/5102/ku.oc.ytirucesti

Read:3931 | Comments:0 | Tags:Uncategorized

“ECJ throws doubt on the future of EU-US Safe Harbour”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud