On Tuesday October 6th, the European Court of Justice decided that data transfer by European-based internet companies to the USA is invalid due to the latter’s lack of protection against mass surveillance. The case was brought forward by Austrian law student Maximilian Schrems who challenged Facebook’s practice of transferring personal data from its European subsidiaries to the USA. It highlights the continuing and significant transformations resulting from the Snowden revelations, and it points, particularly, to the vast amount of data collected by internet companies such as Facebook, and the lack of protection for user data by these companies.
The Safe Harbour agreement regulates the lawful transfer of personal data by companies between the EU and the US. According to EU law, this transfer can only take place if the US ensures an ‘adequate’ level of data protection. In light of the Snowden revelations, in particular of programmes such as PRISM with which the NSA collects data from social media and other internet companies, the Court has now ruled that ‘adequate protection’ does not exist in this case. Not just Facebook, but over 4000 companies use the Safe Harbour instrument. They may continue transferring data but their practice may now be reviewed by a variety of national data protection agencies.
The ruling demonstrates that over 2 years after the Snowden leaks on mass surveillance started, and despite a decrease in media attention and public debate, their political and policy impact grows. The revelations have had a particularly significant influence on court cases and legal challenges. A variety of cases brought forward by digital rights organisations and civil liberties groups have uncovered new information about surveillance and have led to rulings against the surveillance agencies.
Today’s court decision is also interesting for social media users and the broader debate on social media practices. Although it is widely believed that social media users do not care much about what happens to their data, research has shown that many people are concerned about data collection practices by internet companies but feel unable to address these concerns due to the lack of transparency in companies’ terms of services and relevant regulations. Research as part of Cardiff University’s project ‘Digital Citizenship and Surveillance Society’ has found that many people feel powerless, rather than indifferent, about the collection and processing of their data. The court challenge by Schrems and the ruling of today demonstrate that something can be done and that there is movement towards addressing these issues.