The right to privacy is a crucial element of our personal security, for free speech and for democratic participation. It is a fundamental right in the primary law of the European Union and is recognised in numerous international legal instruments. Digital technologies have generated a new environment of potential benefits and threats to this fundamental right. As a result, defending our right to privacy is at the centre of EDRi’s priorities.

02 Feb 2016

European Commission defence of European rights sinks in an unsafe harbour

By Joe McNamee

Following the decision of the European Court of Justice to overturn the EU/US “Safe Harbor” Agreement last year, EU/US negotiations have been ongoing to reach a new deal, which would facilitate transfer of data across the Atlantic. Having failed to reach an agreement before 1 February, the European Commission today announced plans to back down from defending the European Court’s ruling and to accept a new badly flawed arrangement.

The emperor is trying on a new set of clothes. Today’s announcement means that European citizens and businesses on both sides of the Atlantic face an extended period of uncertainty while waiting for this new stop-gap solution to fail.

said Joe McNamee, Executive Director of European Digital Rights.

Among the proposals are an “exchange of letters” to permit Europe to receive assurances from the outgoing US President that non-US data will be processed in ways that are strictly necessary and proportionate – i.e. not subject to mass surveillance.

The new arrangement will rely on additional legal instruments, which are also likely to fail to achieve their intended goals. At a meeting in the European Parliament last night, Commissioner Jourová was asked repeatedly for her views on flaws in the crucial Judicial Redress Act and the EU/US Umbrella Agreement. She refused to address either problem.

Parliamentarians from across the political spectrum last night repeatedly accused the United States of not taking the negotiations seriously. Seeing fatal problems being built into the Judicial Redress Act, seeing the adoption of the secret data-sharing provisions in the Cybersecurity Act and seeing the lack of any meaningful reforms on the US side, it is hard to disagree.

Read more:

Why is Safe Harbour II such a challenge?

Access Now, EDRi on data protection: “No Safe Harbour 2.0 without reform on both sides of the Atlantic”

01 Feb 2016

Why is Safe Harbour II such a challenge?

By Joe McNamee

It seems baffling to many outside the Brussels bubble – and certainly our friends across the Atlantic – that reaching a revised Safe Harbour deal has proved so difficult.

Part of the problem is Europe. The United States was able to negotiate a questionable deal with the EU to gain access to financial transaction data (the TFTP agreement) and only had to deal with a highly deferential letter from Commissioner Malmström when the Snowden revelations indicated that the deal was being abused.

When the United States wanted long-term storage of air passenger data, the EU caved in completely to US demands and agreed to 15-year long data storage. That deal remains in place, despite of being patently illegal – as proven by the fact that the European Court of Justice overturned the EU’s Data Retention Directive and by the fact that the Commission now considers that 5 years of passenger data retention to be sufficient (i.e. if 5 years is enough, 15 years is clearly far too much).

And let’s not forget that the EU also agreed to the original Safe Harbour deal, although many experts believed that it was illegal.

If, over the past 17 years, the EU caved in and accepted a questionable deal on financial data, if it then ignored evidence that the deal was not being respected, if it accepted and still maintains an illegal deal on passenger data, if it accepted the illegal Safe Harbour deal, it would seem entirely rational and logical that the United States would negotiate on the basis that the EU would cave in again.

That assessment appears to be wrong in this case, as the consequences of a deal that fails to respect the law would be felt more quickly and the range of manoeuvre available to the Commission is narrower.  Generally, as we see with Safe Harbour and the Data Retention Directive, for example, it takes so long for the Court to catch up, that the Commissioner responsible will have left office, so there are no political consequences. Safe Harbour is different.

A new illegal deal would have even worse transatlantic consequences than we are facing at the moment, making the consequences more meaningful. Politically, legally and economically, the Commission needs to ensure that it is able to put forward a credible defence before the Court. It would be grossly reckless for the European Commission to treat this as a political negotiation, and up until this weekend, it has laudably not done so.

Furthermore, while the European Commission frequently seeks solace in semantics (“what does ‘genuinely necessary’ really mean?”) in order to avoid fully respecting Court rulings, the Safe Harbour ruling is very clear in not giving room for manoeuvre. Also, due to the inevitability of the Court being asked to rule on any new deal, the scope for the Commission to play for time is severely limited.

This unique situation has led to the two sides in the Safe Harbour II negotiations simply not hearing each other. The United States – logically in the historical context – has been proposing elaborate political spin and elegant, but ultimately specious, explanations of what a deal could look like – in a manner that has always worked before. Meanwhile, the European Commission has been explaining that this negotiation is different. This, too, however, sounds like a negotiating tactic. “Why do they not understand?” both sides ask, infuriated that the other side won’t accept to move forward based on their version of the political and legal context.

As a result, the only possible deal that is immediately available is where the European Commission agrees a politically expeditious but legally untenable deal, creating a time bomb rather than a durable deal, to the benefit of no one. In absence of reforms before an agreement, individuals’ fundamental rights would remain under threat. The political arm wrestling which led us nowhere must end. Discussing legal solutions to a legal problem is the only viable path to agreeing to a robust data transfer agreement.

21 Jan 2016

Access Now, EDRi on data protection: “No Safe Harbour 2.0 without reform on both sides of the Atlantic”

By Theresia Reinhold

On January 12, Estelle Massé, Policy Analyst at Access Now, and Joe McNamee, Executive Director at EDRi, were invited by the committee of EU data protection authorities – the Article 29 Data Protection Working Party – to discuss the aftermath of the Safe Harbour ruling.

Read our full submission to the Article 29 Data Protection Working Group (PDF).

At that meeting, we discussed the consequences of the European Union Court of Justice (CJEU) ruling in the case C-362/14 (Maximillian Schrems v Data Protection Commissioner, known as “the Schrems case”) which invalidated the Safe Harbour arrangement. We provided evidence to the EU data protection authorities on the reforms needed on both sides of the Atlantic, including the specific reforms needed in the US for a robust new transatlantic data transfer agreement that would resist legal challenge. Here is the list of reforms we recommend:

  1. Surveillance reform in the European Union and the United States which includes
    a. Reform of Foreign Intelligence Surveillance Act (FISA) Section 702
    b. Reform of Executive Order 12333
    c. Reform of EU Member States’ legislation on surveillance
  2. US compliance with the International Covenant on Civil and Political Rights (ICCPR)
  3. Passage of comprehensive data protection legislation at federal level in the US
  4. EU member states to stop avoiding their human rights obligation in the guise of the ill-defined “national security exemption”

Despite the impetus for reform generated by the Schrems ruling and the launch of negotiations for a so-called Safe Harbour 2.0, the status quo remains on both sides of the Atlantic. Worse, legislation was passed in the US that potentially negates the possibility of a future transatlantic data transfer agreement. That legislation is the Cybersecurity Act of 2015 (also known as CISA). Passage of the Cybersecurity Act increases the breadth of unaccountable, secret US spying and further cements the corporate-intelligence relationship. This law would require the Department of Homeland Security (DHS) to deliver “cyber threat” indicators, which are shared with the intelligence and law enforcement agencies in near real-time. Companies would be granted broad legal immunity for supplying those indicators to the US government, which could include personal information. The option exists to transfer the information entirely secretly. That means massive repositories of personal information, including data transferred from the EU, could be secretly turned over to spying agencies.

We highlighted these shortcomings in our meeting and written submission. They are in addition to the considerations raised by the limitations the Schrems ruling imposed on the EU Commission and the repeated “misleading” of US institutions and secret re-interpretation of US legislation.

Finally, we called on negotiators to take the time necessary to conduct reform that would provide users and companies on both sides of the Atlantic with a robust, trustworthy mechanism for transfer of data, upholding the right to privacy and ensuring legal certainty.

13 Jan 2016

Dutch government says no to weakening encryption

By Guest author

The Dutch government will, “at this time”, “not adopt restrictive legislative measures against the development, availability and use of encryption within the Netherlands.” This statement was posted by the Dutch government in a letter to the Dutch parliament on 4 January 2016. This is clearly position to be applauded.

................................................................. Support our work - make a recurrent donation! .................................................................

In the letter, the government recognises the importance of encryption for the entire society. The ministers of Economic Affairs and Security and Justice find that “cryptography plays a key role in technical security in the digital domain.” This not only applies to companies protecting their business secrets and customer data, but also to the government itself. The Dutch government indeed “increasingly communicates with citizens via digital means, and provides services where confidential data is exchanged.” Citizens benefit from encryption, because it allows them to “ensure privacy and confidentially of their communication.” This is “also important for exercising the right to free speech,” according to the government.

Of equal importance is the realisation that it is not possible to weaken encryption by just a little bit. The government argues that “there is no outlook on possibilities to, in a general sense, for instance via standards, weaken encryption products without compromising the security of digital systems that use encryption.” Hence, when introducing back doors that would enable prosecution and intelligence services to access encrypted files on digital systems – these encrypted systems “can become vulnerable to criminals, terrorists and foreign intelligence services.”

The weakening of encryption would have undesirable consequences for the security of our digital infrastructure. And that is why the Dutch government concludes that “at this time, it is not appropriate to adopt restrictive legislative measures against the development, availability and use of encryption within the Netherlands.” The government will propagate this position “in the international context.” The letter ends with the commitment to grant 500.000 Euro to the widely used encryption software library OpenSSL, as proposed by the parliament. This is a highly commendable position.

Letter from government to parliament with position on encryption (04.01.2016)

Unofficial translation and comments from Matthijs Koot

Proposal to amend budget to grant OpenSSL 500.000 euros funding

(Contribution by Rejo Zenger, Bits Of Freedom)



13 Jan 2016

Swedish border control becomes a privacy nightmare for travellers

By Guest author

European citizens are finding that their freedom of travel is being curtailed as more and more Schengen countries introduce temporary border controls in response to the flow of refugees from the Middle East war and conflict zones. Moreover, Sweden and Denmark have passed national legislations which gives train, bus and ship operators the responsibility of checking if their passengers have valid travel documents before they are transported through the border zone where state border guards officially check passports or identification documents. This is similar to the obligations imposed on carriers in the EU Directive 2001/51/EC, except that the new Swedish and Danish obligations apply to passengers transported within the Schengen area.

................................................................. Support our work - make a recurrent donation! .................................................................

At the Swedish border, the obligations on transport operators to check IDs of passengers took effect on 4 January 2016. This has disrupted train travel from Copenhagen to Malmö, the main option of public transportation over the Øresund Bridge. At Copenhagen Airport Station, just before the bridge to Malmö, all passengers have to disembark the train and walk through a security checkpoint with ID inspection. After the checkpoint, passengers can board another train which takes them to the official border control on the first Swedish station after the Øresund Bridge, and then onwards to their final destination on the Swedish side of the Øresund Region.

In addition to the general disruption and travel delays for passengers, the ID inspection at Copenhagen Airport railway station has generated a lot of public controversy over privacy since the train operator DSB has decided to take photos of the identity documents presented for inspection at the checkpoint. This information is retained in a central database for up 30 days, and Swedish Police will be granted access to the database upon request, according to a press release from DSB.

Under the new Swedish law, transport operators are subject to a fine of 50000 SEK (about 5500 EUR) for every passenger that is transported to the border without a valid ID unless the operator can document that the ID inspection prior to crossing the border was carried out in accordance with Swedish law. The legal requirements for this documentations are unclear, and this has led DSB to take the radical step of retaining copies of the ID presented for every passenger. DSB is the only public transport operator in the Øresund Region that retains copies of passenger IDs for this documentation purpose.

The legality of the data retention has been questioned by a Danish data protection expert. The processing of personal data takes place in Denmark and is therefore subject to the Danish Data Protection Act. In Denmark, the processing of citizen ID numbers (present on all identity documents) is subject to special requirements similar to those for sensitive personal data, and the legal arguments submitted by lawyers for DSB to the Danish Data Protection Agency do not address this issue. A more general issue is the legal basis for the retention of copies of ID documents in the first place. The DSB lawyers refer to the exemption for “a task carried out in the public interest or in the exercise of official authority vested in the controller” in Article 7(e) of the Data Protection Directive, but the real purpose of the data retention is to avoid the possibility of fines being imposed on DSB for passengers without ID. In any case, there is clearly an issue of proportionality that must be considered here since a central database with pictures and other personal data of citizens, readily accessible by the Swedish Police (and possibly other public authorities), is a significant intrusion.

The Danish government has not yet imposed ID check obligations on transport operators between Germany and Denmark, and such a step would have to be negotiated with the German authorities since the ID check by the private operator takes place in Germany. However, if the Swedish-Danish idea of imposing ID check obligations on private transport operators spreads to other EU countries, it will have huge consequences for the freedom of travel and privacy for European citizens, especially if the private transport operators are pressured into keeping copies of the passenger IDs for their internal “documentation” of the ID checks. A partially privatised border control system along these lines would, in effect, extend the mass surveillance of European air travellers in the PNR (Passenger Name Records) Directive to train, bus and ship passengers on intra-EU cross-border routes.

Questions and answers for the DSB ID check (04.01.2016)

Practical Guide for the Swedish regulation on ID checks, Swedish Police (in Swedish only, 30.12.2015)

DSB press release about the retention of passenger ID copies (in Danish only, 02.01.2016)

DSB has registered passengers in violation of the law, Politiken (in Danish only, 07.01.2016)

(Contribution by Jesper Lund, IT-Pol Denmark)



02 Dec 2015

EU Council on Data Retention: “Can we please just have it back?”

By Diego Naranjo

One and a half years after the Court of Justice of the European Union (CJEU) invalidated the Data Retention Directive, the idea of having an EU data retention instrument is back on the table.

On 8 September 2015, officials from the European Commission (EC) told EDRi that, despite the evidence that we provided of the possible existence of illegal laws in Europe,, they had no intention of starting any infringement proceedings against Member States that are not complying with the CJEU judgement and are therefore in breach of the Charter of Fundamental Rights of the European Union. We were left without a clear idea of what their promise to “continue monitoring legislative developments at the national level” meant.

................................................................. Support our work - make a recurrent donation! .................................................................

As a result of the current chaotic situation, in which some countries stick to their existing data retention laws, while others invalidate them, the Council of the European Union has decided to take the initiative. In a note published on 24 November, the Council asked if this non-harmonised system (which does not seem to be a problem for the Guardian of the Treaties, the EC) should be changed with a new EU-wide data retention proposal from the European Commission. The Council seems to not have digested well the CJEU judgment, and asks the following question:

“Is the Data Retention Judgement to be interpreted in the sense that retaining bulk electronic communication data without specific reason is still allowed?”

The Council might find a hint of the answer to that question from the press release from the CJEU, published on 8 April 2014, right after the ruling declaring the Data Retention Directive invalid, where the Court stated that “the wide-ranging and particularly serious interference of the directive with the fundamental rights at issue is not sufficiently circumscribed to ensure that that interference is actually limited to what is strictly necessary” and that “by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality”.Despite this clear wording the Council has a question, which could be rephrased for rhetorical purposes as follows: What would Member States think about having invasive data retention laws (either their own ones, or a new EU norm to rule them all), if we ignore the CJEU case law and the Charter of Fundamental Rights altogether? While Member States take their time to respond, we assume the Commission will continue with their monitoring tasks.

As the Council of Europe’s Secretary General said: “Terrorists can’t destroy our democracies, only we can do that.” For that, at least, the EU is on the right track.

Note from the Council of the European Union on a general debate on data retention. 24.11.2015

European Digital Rights asks the European Commission to investigate illegal data retention laws in the EU

European Commission will “monitor” existing EU data retention laws 29.07.2015

EPP Press Release: Data Protection Directive trialogue should be suspended

The Court of Justice declares the Data Retention Directive to be invalid (08.04.2014)

(Contribution by Diego Naranjo, EDRi)



18 Nov 2015

Founder of a Portuguese leak platform subject to gagging order

By Guest author

Rui Cruz is 28 years old and is the founder of Tugaleaks, a Portuguese Wikileaks-inspired website. He has been working on the website on his free time since December 2010, gathering exclusive articles about the security flaws of government and private company websites, publishing public-but-undisclosed documents, and making available data on security information about Portugal, among other subjects of interest not related to technology. Tugaleaks is the only website mentioned in the US Central Intelligence Agency (CIA) World Factbook for Portugal – in the “political pressure groups and leaders” section.

................................................................. Support our work - make a recurrent donation! .................................................................

In February 2015 Rui was detained and faced charges for “giving support” to hackers by “publishing news”. Some might just think that this is digital journalism, but the public prosecutor considered it a crime. Rui has been subject to a gagging order for eight months and unable to access the Internet, as this was a mandatory coercive measure. As Tugaleaks is based online, he is also unable to publish new content.

To make things worse, Rui was laid off from his day job in a company that is part of PT Comunicações Group, one of the largest communications companies in Portugal. Rui says that the company justified his dismissal by stating that he could not engage with any Internet-related work. Rui now does not have a job, awaiting the end of the coercive measure. Eight months is the maximum time a coercive measure that could be put in place. However, judges could renew the same measure over and over, if they think it’s necessary.

The local media organisations are kept quiet about the situation. Rui says that this is because Tugaleaks was considered to be a “renegade” media organisation because of the style and type of publications which frequently embarrassed the Government and public institutions.

Freedom of expression and the right to choose a job are constitutional rights under the Portuguese Constitution. Rui and his lawyer believe both rights have been violated for eight months by the justice institutions in Portugal without any regard for the quality of life and the “innocent until proven guilty” principle.

Rui is now looking for any solidarity in sharing his story on social media. This is the most important time to spread the message, as he could soon be free from this coercive measure and start rebuilding his life, if sufficient media attention and citizen solidarity is shown. He is also struggling to pay the fees of his lawyer from Jaime Roriz Advogados. Rui accepts donations at:
IBAN PT50 0033 0000 4542 2460 7280 5
Owner: Rui Diogo Morais da Cruz


CIA, The Word Factbook: Portugal

Tugaleaks founder detained for (alleged) cyber attacks to Lisbon’s Public Prosecutor’s Office (only in Portuguese, 26.02.2015)

TugaLeaks founder: fired and prevented from accessing the Internet (only in Portuguese, 02.03.2015)

(Contribution by Rui Cruz, Tugaleaks, Portugal and submitted by his lawyer Carla Guimarães (Jaime Roriz Advogados))



21 Oct 2015

Turkey: New attempts to limit online access and freedom of speech

By Heini Järvinen

The Turkish government has been heavily critised for implementing censorship on the Internet and other media. Currently, over 100 000 websites are officially blocked in the country. Additionally, popular websites such as Twitter, Facebook and YouTube have been frequently blocked with or without a court order. Other than officially blocking websites, Turkish Internet Service Providers (ISPs) have recently been allegedly forced to implement more “creative” methods for limiting access to certain sites.

According to the local Twitter and Facebook users, these social media platforms suffered a slow-down during the first half of October 2015. The traffic on the sites was slowed down, and although the sites were theorically accessible, they became so slow that they were practically inaccessible.

................................................................. Support our work - make a recurrent donation! .................................................................

At the beginning of September 2015, the Turkish authorities imposed a nine-day curfew on Cizre, a city of 120 000 inhabitants near the Turkish border with Syria and Iraq, in support of an “anti-terror” operation against suspected Kurdistan Workers’ Party (PKK) members. The curfew included, besides preventing anyone from entering or leaving the city, blocking all access to Internet, as well as to mobile and landline telephone, or severely restricting them. Council of Europe Commissioner for Human Rights, Nils Muiznieks, demanded that independent observers should be allowed to enter the city. He stated that the situation “combines an exceptionally severe interference with the human rights of a very large population and a near-complete information blackout.”

After the bombings of a peace rally in Ankara on 10 October, in which more than 100 demonstrators lost their lives, the government imposed a temporary broadcast ban on the images of the attacks in print, visual and online media, and warned media organisations not observing the ban that they could face “a full blackout”. The banned footage included also lines of riot police appearing to block a road near the blast site, with ambulances parked in the background. Protesters claimed that the police blocked a road being used by ambulances, and prevented them from transporting victims to hospitals. The ban has been criticised by organisations defending human rights for violating freedom of expression and assembly, for exacerbating tensions within the country, and for undermining opportunity for open political dialogue.

Turkey: Government must protect protest and debate after Ankara attack (12.10.2015)

Ankara terror attack: Protesters clash with police after ambulances “blocked” following explosions (10.10.2015)

Twitter reports “access issues” in Turkey after attack (10.10.2015)

Ankara terror attack: Turkey censors media coverage of bombings as Twitter and Facebook “blocked” (10.10.2015)

Turkey’s internet being intentionally slowed to prevent access to information (05.10.2015)
Turkey re-imposes curfews on Kurdish cities (14.09.2015)

Turkey to lift curfew in cut-off city of Cizre after reports of civilian deaths (12.09.2015)



23 Sep 2015

State of play of internet freedom in the Netherlands

By Guest author

Dutch EDRi member Bits of Freedom is diligently watching a set of broad tendencies, such as the dominant positions of a handful of tech giants, the Internet of Things, and the idea that technology cannot be neutral. Bits of Freedom is also working hard to prevent the occurrence of a number of very real threats to your internet freedom. Here’s an update on three topics currently debated in the Netherlands.

The dragnet for the Dutch secret service

On 2 July 2015, Minister of the Interior Ronald Plasterk published a bill for a new Intelligence and Security Services Act. This bill will give the most far-reaching power to the intelligence and security services to tap citizens’ communications, not only listen to their telephone conversations, but also to monitor chat and email messages, as well as the websites visited. It’s true that the current Intelligence and Security Services Act already allows the security services to tap specific individuals for monitoring purposes, but the new law would allow them to collect such data in bulk. This way innocent people would end up in the dragnet, too.

................................................................. Support our work - make a recurrent donation! .................................................................

Another problem concerning this bill is that the exchange of data with foreign security services will not be limited. This means that the data collected can be handed over to other intelligence and security services without the Dutch security service even knowing the content of the dataset they provide.

Finally, there’s no independent, legally binding oversight. If the oversight committee concludes that the minister has unjustly allowed the application of such a dragnet, the minister can simply overrule the oversight committee, he can only be held accountable by Parliament. Oversight over intelligence and security services should not be left to politicians, because this gives politicians power without any counterbalancing transparency or accountability.

Reintroduction of data retention law

On 11 March 2015, the Dutch data retention law was thwarted by a ruling of the District Court of The Hague. Under that law, everybody’s location and communication behaviour would have been stored for up to a year, which would have had a massive impact on our freedom. Unfortunately the minister of Security and Justice, Ard Van der Steur, has already indicated that he will introduce a new data retention bill.

Hacking Criminal Investigation Departments

Van der Steur also wishes to grant the Dutch law enforcement the power to hack citizens’ computers and other device, such as tablets and smartphones. Ironically this will only make the Dutch internet user more unsafe. Imagine the police has the ability to enter a suspect’s Outlook via a existing vulnerability in the software. The police would then want that vulnerability to remain open a little longer, rather than getting it fixed as soon as possible. Unfortunately, the police isn’t the only party that can use this vulnerability to get access. So that will mean that all other Outlook users are vulnerable to cyber criminals too.

Demystifying the algorithm: Who designs your life? (26.06.2015)

EDRi-gram: Dutch Minister of the Interior reveals plans for dragnet surveillance (15.07.2015)

Data retention law struck down – for now (11.03.2015)

How your innocent smartphone passes on almost your entire life to the secret service (30.07.2014)

Dutch government: Let’s keep data retention mostly unchanged (16.12.2014)

Dutch hacking proposal puts citizens at risk (2.05.2013)

(Contribution by Daphne van der Kroft, EDRi member Bits of Freedom, The Netherlands – translation into English by Jay Achterberg)



23 Sep 2015

Safe Harbor: European Court Advocate General says Agreement should be declared invalid

By Heini Järvinen

This morning, the Advocate General of the Court of Justice of the European Union (CJEU), in his Opinion on the “Safe Harbor” Agreement with the United States, advised the Court to declare the entire Agreement invalid. The catalyst for the case was the mass surveillance practices of the United States.

Sixteen years ago, the EU and US concluded an agreement to allow personal data to be transferred into the US jurisdiction, which does not have comprehensive privacy laws. Literally from day one, it was quite clear that the agreement was unlikely to succeed. Now, after fifteen years of criticism from academics, from privacy advocates and from independent studies, the Advocate General of the European Court of Justice has confirmed what we already knew – the Agreement should be declared invalid. The Agreement has been kept alive by the European Commission’s refusal to accept the ever-growing mountain of evidence of the inadequacy of the Agreement.

“If confirmed by the full Court, this is a very important step for the right to privacy in Europe,” said Joe McNamee, Executive Director of European Digital Rights. “What happens next is crucial. It must never again happen, like in this case, like in the case of the Data Retention Directive, that obduracy from the Commission can keep agreements or laws in force that are patently illegal.”

We now await the ruling of the full Court, which we fully expect to uphold the opinion of the Advocate General.

Read more:

Press Release from the CJEU:

Full text of the Opinion:

FAQ – Safe Harbor

1) What is the Safe Harbor agreement?

Under EU data protection legislation, personal data can only be transmitted outside the EU under number of specific circumstances. One of these is a recognition of adequate data protection rules in the country where the data is being sent.

Due to the fragmented, inadequate approach to data protection in the US, a specific arrangement, called “Safe Harbor” was designed to create a framework for transfer of data to the United States. This was adopted in 2000.

There have long been serious concerns about the real protection that Safe Harbour actually provided. For example the 2008 study by Galexa called “The US Safe Harbor – Fact or Fiction” identified numerous problems. Implementation reports demanded by a sceptical European Parliament also resulted in reports from the European Commission that pointed to problems, but refused to recognise the scale of the instrument’s problems.

2) Why is it suddenly a problem now?

Under the current framework of the EU Data Protection law (Directive 95//46/EC), transfers of personal data need to ensure “an adequate level of protection”. Given the revelations exposed by Edward Snowden on the mass surveillance activities performed by the US National Security Agency (NSA), serious concerns were raised about how the Safe Harbour agreement provides the adequate level of protection for European data. In particular the surveillance under NSA’s PRISM programme facilitated by mass exports of data raise serious concerns.

During questioning in the hearing in the Court, the European Commission representative reportedly admitted that adequate protection is not offered by the agreement.

3) What happens if it is revoked by the Court of Justice?

There are other options for legal transfer of data outside the EU. While some industry representatives claim that suspension of the agreement would be hugely costly from an economic perspective, this is not the case.

4) What has the Advocate General said today? Is this already a “decision” or a “judgement”?

The Advocate General’s role is to advise the Court on what it should do. In most cases the Court (which will make a final decision shortly) follows the Opinion of the Advocate General. So, today’s announcement is not the final ruling.

In his opinion, the Advocate General stated that if a Data Protection authority considers there is not enough protection in a given country, the national authority needs to have the “power to suspend that transfer, irrespective of the general assessment made by the Commission in its decision “. He also added that the US practices allow for “large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection” and that this lack of judicial protection is a disproportional interference with the right of EU citizens of the to an effective remedy, protected by the EU Charter of Fundamental Rights.