Europe’s highest court considers future of online data privacy

The European Court of Justice has begun considering a case that could decide how Europeans’ data will be shared with US internet firms in future

The European Court of Justice (ECJ) has begun considering a case brought by privacy campaigner Max Schrems that could decide how Europeans’ data will be shared with US internet firms in future.

The case against Ireland’s Data Protection Commissioner was referred to the ECJ by the high court in Dublin for a ruling on whether the watchdog is bound by the safe harbour agreement.

The safe harbour agreement provides a means for US companies to transfer personal data from the EU to the US that meets EU data protection requirements.

The ECJ is also expected to rule on whether an investigation should be launched into allegations by Edward Snowden that Facebook passes personal data to the US National Security Agency (NSA).

At a hearing of the case in Luxembourg, the ECJ said it will issue is ruling on 24 June 2015.

Commentators said the ruling could shape international regulations on online information and affect all US companies dealing in Europeans’ data, such as Facebook, Twitter, Google, Microsoft and Yahoo.

Schrems, an Austrian law student, began the case before Snowden alleged that the NSA was routinely intercepting data from emails, social media and telephones, according to The Guardian.

Read more about data privacy

His initial complaint was to Facebook, whose European headquarters are in Dublin, over what was happening to his personal records.

But Snowden’s allegations led Schems to apply for an audit of the data Facebook was passing to the NSA. When the application was dismissed, Schems went to the high court in Dublin.

Schrem argued that, when Facebook collects user data and exports it to the US under safe harbour rules, it is giving the NSA the opportunity to use the data for mass surveillance.

Referring the case to the ECJ, judge Gerard Hogan said evidence suggested that personal data was routinely accessed on a "mass and undifferentiated basis" by the NSA.

He said Facebook users should have their privacy respected under the Irish constitution, and that for such interception of communications to be constitutionally valid, it would be necessary to demonstrate that it was justified in the interests of the suppression of crime and national security, and was attended by the appropriate and verifiable safeguards.

Schrems wants the safe harbour agreement to be scrapped and for the Dublin Data Protection Commissioner to audit the exchange of personal data with US security agencies.

Scrapping the safe harbour agreement would make it much more difficult to transfer data from Europe to the US, but businesses have raised concerns about the negative impact this could have on European trade relations with the US.

Read more on Privacy and data protection