On October 6, the Court of Justice of the European Union declared invalid the decision reached by the European Commission in 2000 that found the Safe Harbor framework to provide an adequate legal basis for transferring personal data from Europe to the US. Agreeing with the reasoning of its Advocate General, the Court further instructed the Irish Data Protection Commissioner to take up the complaint against Facebook lodged by Maximillian Schrems and to determine whether the company's transfer of his data to the US should be suspended.
The CJEU ruling, clearly the most significant development in international data privacy in the past 15 years, raises a host of questions for thousands of companies that relied upon Safe Harbor to legitimize their data transfers. Actors in this unfolding high drama include the Irish DPA, the Irish High Court, the European Commission, DPAs in other member states, the Article 29 Working Party, the European Data Protection Supervisor, the US Department of Commerce, the companies and of course the individuals whose personal data has been, and is being, transferred to the US. How each will respond will only be evident in the coming days and weeks.
Much of the early coverage in the mass market media, both in the US and in the Europe, focuses on the impact of the decision upon companies and what these companies must do to satisfy European requirements. While certainly a valid and pressing area of concern, indeed one that HR Privacy Solutions advises and assists clients with, the bigger headline is, I would argue, the one found above. At a time when judicial and legislative efforts within the US to reign in mass surveillance have advanced only in small increments, Europe's top court has unequivocally said that mass surveillance is incompatible with the right to privacy and must stop. A clarion call has been issued that is likely to be heard around the world.