The impact of Edward Snowden’s disclosures about the activities of the US National Security Agency (“NSA”) continues to be felt.

International transfers of personal data 

European data protection legislation prohibits the transfer of personal information to countries outside the European Economic Area, unless the recipient country provides adequate protection for the rights and freedoms of individuals in relation to data processing. 

In 2000 the European Commission issued a decision on what are known as the “safe harbour privacy principles”, applicable to the international transfer of data. Under this decision the US was recognised as a country with “adequate” data protection laws. 

Schrems v Data Protection Commissioner

This case concerned the transfer of personal data relating to Austrian Facebook user, Max Schrems. Facebook’s Irish subsidiary transfers users’ personal data from Ireland to Facebook’s US servers, where the data is processed. Given the Snowden revelations about the activities of the NSA, Schrems complained that the law and practice of the US do not offer the protection against surveillance by public authorities required by EU legislation. 

The press release issued by the European Court of Justice notes: 

“…the Court observes that the [safe harbor] scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities [such as the NSA] are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference…

…legislation permitting the public authorities to have access on a generalised basis to the content of communications must be regarded as compromising the essence of the fundamental right to respect for private life.”

(Emphasis in bold contained within original press release.)

US-based service providers

This decision of the European Court of Justice may be of concern not only to public agencies responsible for data protection regulation but also to businesses which rely on third party providers for data-related services. Any business which uses the cloud for storing information about employees, for example, may want to clarify where third party providers’ servers are located. 

Case:                    Schrems v Data Protection Commissioner

Type of claim:      European Court of Justice; data protection; transfer of personal data to third country; adequate level of protection of data; Facebook; international service providers processing data  

Judgment date:  06.10.15