This week, the Irish Supreme Court forwarded a preliminary question to the European Court of Justice on whether the Safe Harbour principles issued by the EU Commission in 2000 are still actual today, with the advent of the on-line and of the technology field. In short, an Austrian law student asked the Data Protection Commission in Ireland to assess if Facebook Ireland’s transfer of data of EU citizens to the US should not be at least suspended until further precaution measures are taken, given in particular the scandal provoked last year by Edward Snowden and the unraveling of the US National Security Agency of frequently requesting access to data stored by large tech companies such as Facebook or Google, data referring in particular to users of the said services.
The Safe Harbour principles act as a self-assessment test introduced by the EU at the beginning of the millenium, by which all US companies that process personal data must abide by certain rules listed in the principles in order for them to be able to process personal data of EU individuals. Facebook – which is the actor in the complaint with Irish Data Authority – had already assessed its compliance with the principles; when a tech company does that, there is practically no further obstacle standing in the way of processing data of EU citizens. What the Austrian law student stated was that these principles are outdated and would need re-examination, in view of what had happened after 2000, in terms of rise of terrorism and cyberattacks. The main problem is raised by the carve-out in the principles by which US authorities may process data obtained from US companies for reasons of national security – which, as with Snowden’s unraveling, is interpreted abusively by the US.
The Irish Supreme Court's Decision is an example of clear understanding of geopolitical and security aspects of the issue, apart from the legal framework:
The thorny issue could not have come at a worse times for US on-line giants operating in Europe: last month, the ECJ ruled that Google processes personal data and comply with the EU data protection framework by responding to any requests for personal data erasing from EU individuals. There is also extensive pressure from the EU Parliament for suspension of the Safe Harbour decision, and the US vowed to improve the principles this summer.
There is no telling when the ECJ will issue a decision. Moreover, if the principles are improved by then, the ECJ may take a stance and be even more drastic and, who knows, it may argue whether self-assessment can still prove to be effective in current tech status-quo.