Privacy in Europe

Yesterday the Court of Justice of the EU issued a press release following the opinion of Advocate-General Yves Bot in Case C-362/14 Maximillian Schrems v Data Protection Commissioner which may have far-reaching implications for global corporations and data protection.

 

This on-going matter involves Austrian National, Max Schrems, who has been an active Facebook user for more than 5 years. As with many other EU-based Facebook users, some or all of the data that Mr Schrems has provided to Facebook has been transferred from Facebook's subsidiary in Ireland on to servers based in the US where it is stored.

Mr Schrems complained to the Irish authorities (the Data Protection Commissioner) following the relevations from the Edward Snowden affair about the safety of personal data in the United States.

The Data Protection Commissioner rejected Mr Schrems' complaint in part on the grounds of the Commission Decision 2000/520/EC of 26 July 2000 ("Decision") which discussed the "safe harbour" scheme.

In the present opinion, Advocate-General Bot has taken the view that the Decision neither eliminates, nor reduces the powers of the national data protection authorities. He went on to express that he was of the opinion that the Decision was invalid.

He draws the conclusion that, if a national authority considers that a transfer of data would undermine EU citizens' protection relating to the processing of their data, such authority has the power to suspend the relevant transfer, irrespective of the position in the Decision, and furthermore the Decision does not contain sufficient guarantees relating to effective judicial protection for the personal data of EU citizens.

This opinion, however compelling, is of course not a final decision and the Court will make its ruling in due course.

According to the BBC, Mr Schrems remarked: "Companies that participate in US mass surveillance and provide, for example, cloud services within the EU and rely on data centres in the US may now have to invest in secure data centres within the European Union...This could be a mayor issue for Apple, Facebook, Google, Microsoft or Yahoo...All of them operate data centers in Europe, but may need to fundamentally restructure their data storage architecture and maybe even their corporate structure."

Companies with international reach, similar to the above, will need to pay careful attention to the outcome of this matter, take appropriate advice and assess how the relevant ruling will impact upon their businesses.