After the European Court of Justice's (ECJ) top adviser said in a published opinion for the "Maximillian Schrems vs. Data Protection Commissioner" case that the Safe Harbor agreement between the U.S. and the European Union could be invalid because it allows the U.S. government unrestricted access to European citizens' data, the Court ruled the agreement to be invalid as well.
The Safe Harbor agreement allowed companies to self-certify when transferring data to their U.S. servers, which could then be accessed by U.S. law enforcement. We've seen this in Microsoft's lawsuit against the U.S. government, where the government said that because it's a U.S. company, it doesn't matter where the user is from -- it can just get that data.
When it comes to services that don't even use HTTPS encryption, the U.S. government can also collect all of that data in bulk when it reaches U.S. territory, by tapping Internet cables, often with participation from local Internet providers.
Maximilian Schrems issued a complaint to the Irish supervisory authority (Data Protection Commissioner), after the Snowden revelations in 2013, that his Facebook data was being processed on U.S. servers where it's not adequately protected.
The complaint was rejected because in a decision from July 2000, the European Commission believed that under the Safe Harbor agreement, the U.S. ensures sufficient protection for European citizens' data. Therefore, the Irish body believed it can't further investigate his complaint.
However, the Irish High Court later questioned whether the European Commission can override a national government from investigating such complaints. Now, the European Court of Justice has ruled that a European Commission decision "cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the directive."
Right now, according to the Data Protection Directive, each national government can implement its own Data Protection law, which could create some bureaucracy for American companies. However, under the new Data Protection act that was meant to pass later this year (it could be delayed now to make changes according to this new ruling), all EU governments would have to respect the same Data Protection law, so this bureaucracy shouldn't last long.
The ECJ also noted that the Safe Harbor agreement didn't have strong limitations that would prevent the U.S. government from accessing EU citizens' data unless it was for strict national security purposes.
It also added that "legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life."
The Court also said that the Safe Harbor agreement didn't provide any way for EU citizens to pursue legal remedies to access, rectify or erase data about them, which "compromises the essence of the fundamental right to effective judicial protection."
Finally, the Court ruled that the Irish supervisory authority must examine Mr. Schrems' case to decide whether to suspend the transfer of European Union subscribers' data to the United States, on the grounds that the data can't be guaranteed adequate protection.
Maximilian Schrems, who pursued this case in the first place and has now won, made the following statement:
“I very much welcome the judgement of the Court, which will hopefully be a milestone when it comes to online privacy. This judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible. The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it. This decision is a major blow for U.S. global surveillance that heavily relies on private partners. The judgement makes it clear that U.S. businesses cannot simply aid U.S. espionage efforts in violation of European fundamental rights."