A crowd-funded lawsuit brought by an Austrian law student could cause major changes with how Facebook and other US companies handle UK and European data. The European Court of Justice has ruled Safe Harbour − a way for US companies to transfer data from abroad without complying with other country's laws − as invalid.
Established in 2000, the US Safe Harbour Decision allowed the passage of data between servers in the Europe and US without the need to address differing legal frameworks. Facebook, Twitter, Google and some 4,000 other companies use Safe Harbour to transfer user data without breaking laws on either side of the Atlantic.
Facebook's use of Safe Harbour was the subject of a lawsuit filed against Facebook Ireland Limited in 2012 by Austrian law student Max Schrems. Schrems' case has been crowd-funded by more than 2,000 donors who have raised over €60,000 (£44,000, $67,000) for his cause. The Court of Justice said Safe Harbour did not eliminate the need for European data watchdogs to check that adequate measures to protect data created here are in place.
'This case is not about Facebook'
Facebook has denied any wrongdoing. A spokesman said: "This case is not about Facebook. What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows. Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbour."
Currently, data − often personal and sensitive − is sent to the US servers of Google, Facebook, Microsoft and over 4,000 other companies, but in doing so the data then becomes the property of the US legal system and is no longer under the jurisdiction of where it was created.
NSA spying and Prism
Concerns over how data is collected by such companies came to light in 2013, when National Security Agency whistleblower Edward Snowden claimed the agency was secretly accessing the private data of Facebook users. Snowden published documents revealing industrial-scale collection of data from users in the US and abroad, including millions of internet communication and phone records.
Using a programme called Prism, it was alleged that the NSA could access emails, videos, photographs, phone calls, social networking details, login names and passwords and other data stored by US technology companies, including Facebook, Microsoft, Skype, Google, YouTube, Yahoo and Apple.
Under EU law, the transfer of data to another country is only legal if the exporting company, in this case Facebook Ireland Ltd, can ensure "adequate protection" for the data once it reaches the US. Schrems claims the current situation lets NSA programs like Prism play "the exact antithesis" of adequate protection. By ruling Safe Harbour as invalid, the EU's stance could force major changes to how US tech companies with European subsidiaries handle data collected here, and how it is processed once it reaches the US.
Facebook has told IBTimes UK that it will be in touch with a comment on the ruling shortly.