The case of Max Schrems (left) got the ball rolling (Image: John Thys/AFP/Getty)

If you live in Europe, your online life changed this morning. The European Union’s highest court, the EU Court of Justice, has invalidated the legal agreement by which personal data can be moved from the EU to the US for processing.

The ruling against the 15-year-old law, known as Safe Harbour, threatens the business models of more than 3000 companies that use it to ship data to the US, including Google, Apple, Microsoft and Facebook.


The decision is the culmination of a case that Austrian lawyer Max Schrems brought against Facebook in 2013 for participation in US mass surveillance. It means that the Irish Data Protection Commission, which presides over Facebook’s data-export operations, is unable to use Safe Harbour as a reason not to investigate Facebook’s data-protection practices in the US. In a statement, the Irish Data Protection Commissioner confirmed that Schrems’s case would be brought back before the Irish High Court “as soon as practicable”.

The ruling also removes the legal blanket that allowed companies to send data gathered in the EU to the US for processing. It’s not yet clear whether this will disrupt the day-to-day operation of major technology firms, but their ability to pool data from both sides of the Atlantic for analysis will be affected.

Apple’s new privacy policy explicitly states that personal data collected for its iCloud service in the European Economic Area is shipped to Apple Inc in the US for processing via Cork in Ireland.

“It’s quite a huge thing to say that one region’s set of laws is superior to that of the US,” says Carly Nyst, a lawyer and privacy consultant based in London. “That’s the bigger implication of this – the EU exerting its might over the US. They’re saying our standards are higher than yours, and you need to step up your game: the EU is not going to stand for the US doing whatever it wants.”

Surveillance concerns

Although the court’s decision is ostensibly about data protection, it inevitably addresses surveillance. The ruling backs up the claim by Schrems that “the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country”. This claim must now be heard and decided upon by the Irish authorities.

The development will stretch US-EU relations, which are already misaligned over the right to be forgotten and net neutrality. “The gap between American and European legislation on privacy is at breaking point,” says Mark Skilton of the Warwick Business School in Coventry, UK.

Nyst adds that “beyond it being a slap in the face to the US, it sets a great precedent for the legal challenges to mass surveillance happening in Europe”.

For all the internet’s power to connect people globally, the ruling is a step towards an internet that takes local rights and laws into account.

Nyst says that data-protection standards are emerging around the world, providing a crucial component of an internet that is not only hugely useful, but also preserves the privacy of its users.

“Law and technology are misfits,” she says. “Law is all about jurisdiction – which area you commit a certain act in. Technology is all about breaking down those divisions.” A global internet with standards for protecting our data may help bridge that gap.

Paul Bernal of the University of East Anglia in Norwich, UK, says the judgement makes it hard to see how it is legal for any personal data gathered in the EU to now be sent to the US for processing.

“The ruling basically says US surveillance cannot be allowed to override our fundamental rights, but US law says surveillance must override fundamental rights,” says Bernal. “The EU court is largely saying that indiscriminate gathering of data is enough to interfere with fundamental rights, and therefore you shouldn’t be able to do it.”

In a statement on the ruling, Max Schrems said that “US companies that obviously aided US mass surveillance may face serious legal consequences from this ruling when data protection authorities of 28 member states review their cooperation with US spy agencies”.

He added that “the average consumer will not see any restrictions in daily use, but will hopefully soon be able to use online services without potentially being subject to mass surveillance”.