Australian privacy advocates have welcomed a decision by Europe's highest court to strike down a major data-sharing agreement with the United States.
As Kristina Kukolja reports, one view suggests it points to Australia's failures in keeping its own citizens' personal information safe.
(Click on the audio tab above to hear the full report)
It is known as the Safe Harbour agreement, and, for 15 years, it has allowed companies to transfer personal information between the European Union and the United States.
But particularly after revelations by United States intelligence whistleblower Edward Snowden, many argued the supposed data protection deal was inadequate.
Now, that is the view of the European Court of Justice.
It has used precisely the information about US mass surveillance disclosed by the former National Security Agency contractor as grounds to declare the agreement invalid.
The court has ruled Safe Harbour failed to sufficiently protect Europeans' data stored on servers in the United States, where spy agencies could access it.
A 28-year-old Austrian law student, Max Schrems, launched the legal challenge, and the outcome, delivered in Luxembourg, cannot be appealed.
"The reason I brought up this case was that you actually have companies that are necessary for surveillance. And in this case, we really have a private surveillance by the Googles and Facebooks and Apples, and they all suck up the data afterwards. So, we have a private company first gathering the data, and then the government taking this data as a secondary user. And if you get the companies out of that equation, and you can do that as Europe because you have jurisdiction over them, you actually can harm the system to a certain extent."
Facebook, the focus of Mr Schrems' action, has responded by urging decision makers on both sides of the Atlantic to address the situation.
It insists the case was not about Facebook and it has done nothing wrong.
But the court decision goes beyond the digital information logged by social-media sites or internet browsers, often used for commercial purposes.
It also concerns other data exchanged by multinationals, such as payroll or contract details.
The Register's Jennifer Baker says Safe Harbour was meant to address discrepancies between US and EU data protection law.
But the Brussels-based correspondent has told the BBC Safe Harbour was wholly reliant on the goodwill of its corporate signatories.
"The general understanding is that EU data protection law is much safer, it's much more protection for normal citizens, and the US, therefore, doesn't meet the adequacy standards that are required before companies can transfer personal data of EU citizens outside the EU to third countries. So, to get around this problem -- because, of course, there's so much trade between the EU and the US -- the European Commission and the US authorities came up with this scheme that is called the Safe Harbour framework. Now, it's not a trade deal, it's not a legally binding instrument, it is simply a voluntary agreement. It's a set of guidelines that US companies sign up to and promise to enforce to take care of European citizens' data. At the moment, about 4,400 companies have signed up."
Reactions in Europe have been mixed, while the United States says it is deeply disappointed.
In itself, the decision does not ban sharing digital information between the EU and third countries, but it permits individual EU nation authorities to review what is being sent.
It is also expected to create opportunities for legal complaints by citizens and to possibly lead some companies to seek alternative legal and other avenues to avoid being targeted.
The European Commission, which implemented the agreement, says it is working on a new data-sharing framework with the United States.
But a US lawyer advising clients on IT regulatory issues, Daniel Cooper, has told Al Jazeera US agencies' intelligence gathering could still stand in the way.
"If there are continued practices by the NSA which were the basis for the court's decision in a new Safe Harbour, that's going to continue to present a problem from a European law perspective. So that question needs to be addressed."
David Vaile is co-convenor of the University of New South Wales' Cyberspace, Law and Policy Community and vice-chairman of the Australian Privacy Foundation advocacy group.
He says Australia's protection of private information stored on servers connected to the internet, known as cloud storage, is inferior to the EU's.
"Australia has a budding 'cloud' industry -- not, obviously, anywhere near as well-developed as the US -- and it relies on trust, both of people in Australia and also in other countries, for the sorts of protections that we can provide to data. And the European Union does adequacy assessments of whether the privacy regime in countries like Australia is effective to protect the privacy of European data, and, if we don't have equivalent and very serious protection like the EU, then our own cloud industry may be damaged."
Mr Vaile says he believes legislative changes are needed to better secure Australians' personal information.
"Both major parties have successively failed to provide any form of either constitutional or general legal protection for privacy, personal-information security, serious data protection, the right to be told when your data is breached or compromised or confidentiality, journalists' protection of sources. None of those things in Australia have any legal or constitutional base that would enable you to run the sort of case that the Austrian law student, Mr Schrems, has now successfully done. So, the real challenge for Australia is we need the sort of strong, and useable by subjects, laws that enable this to occur in Europe."
Share
