Languish.org

http://arstechnica.co.uk/tech-policy/2015/10/europes-highest-court-strikes-down-safe-harbour-data-sharing-between-eu-and-us/

QuoteEurope's highest court strikes down Safe Harbour data sharing between EU and US

Ruling will likely force Facebook, Twitter, Google to keep EU data in the EU.

Europe's top court, the Court of Justice of the European Union (CJEU), has struck down the 15-year-old Safe Harbour agreement that allowed the free flow of information between the US and EU. The most significant repercussion of this ruling is that American companies, such as Facebook, Google, and Twitter, may not be allowed to send user data from Europe back to the US.

It's important to note that the CJEU's ruling (PDF) will not immediately prevent US companies from sending data back to the motherland. Rather, the courts in each EU member state can now rule that the Safe Harbour agreement is illegal in their country. It is is very unlikely, however, that a national court would countermand the CJEU's ruling in this case.

The case was originally sent to the CJEU by the High Court of Ireland, after the Irish data protection authority rejected a complaint from Maximillian Schrems, an Austrian citizen. He had argued that in light of Snowden's revelations about the NSA, the data he provided to Facebook that was transferred from the company's Irish subsidiary to the US under the Safe Harbour scheme was not, in fact, safely harboured. Advocate General Yves Bot of the CJEU agreed with Schrems that the EU-US Safe Harbour system did not meet the requirements of the Data Protection Directive, because of NSA access to EU personal data.

According to an earlier CJEU statement (PDF), "the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the [Charter of Fundamental Rights of the EU]." Another issue, according to the Advocate General, was "the inability of citizens of the EU to be heard on the question of the surveillance and interception of their data in the United States," which therefore amounts to "an interference with the right of EU citizens to an effective remedy, protected by the Charter."

Because the CJEU was ruling on an issue in Ireland, the Irish court is expected to make its own judgement shortly. It is likely that the Irish court will side with the CJEU. When that happens, one of two things will need to happen: Facebook, and many other US companies with Irish subsidiaries, will need to keep European data within the EU; or the US will need to provide real privacy protection for EU data when it flows back to the US. As the latter is unlikely due to pressure from the NSA and other intelligence agencies, we suspect most US companies will opt for the former.

Twitter may have already begun this bifurcation of its data. Back in May, it published a new privacy policy that laid out two different sets of rules: one for US users, and another for everyone else. It isn't entirely clear if Twitter moved all non-US data over to its Irish subsidiary at the time, but presumably it was at least laying the groundwork for an impending CJEU ruling.

The third possible route is that the EU could negotiate another Safe Harbour agreement with the US; but following the CJEU's ruling, it would have to be quite stringent.

All in all, this is a huge victory for the privacy of EU citizens—and it's all down to Edward Snowden shining a torch on the NSA's indiscriminate spying on European citizens.

Not sure how I feel about this.

Good new for EU citizens at least.

All anti-EU people should take heed - right now the EU is probably the only institution capable to stand up to the US and global corporations on behalf of EU citizens when it comes to protection of consumers.

Quote from: Martinus on October 06, 2015, 06:15:21 AM
All anti-EU people should take heed - right now the EU is probably the only institution capable to stand up to the US and global corporations on behalf of EU citizens when it comes to protection of consumers.

Certainly all the shitty little ethnic states that go crying to Germany at every little crisis cannot.

Quote from: Martinus on October 06, 2015, 06:15:21 AM
Good new for EU citizens at least.

All anti-EU people should take heed - right now the EU is probably the only institution capable to stand up to the US and global corporations on behalf of EU citizens when it comes to protection of consumers.

:lol:

The EU can't even stand up against Greece.

Quote from: Razgovory on October 06, 2015, 08:39:47 AM
:lol:

The EU can't even stand up against Greece.

Greece is one of its member states. Due to its confederation nature, state's rights prevail. Mew.

:yeah:

Quote from: Martinus on October 06, 2015, 06:15:21 AM
Good new for EU citizens at least.

All anti-EU people should take heed - right now the EU is probably the only institution capable to stand up to the US and global corporations on behalf of EU citizens when it comes to protection of consumers.

Unless you will have national Facebook sites with no traffic between them, all the data people are happy to share about themselves will be there for Evol USAHitlers to browse and download and save and process. Maybe a bit more inconveniently, but still.

Quote from: Tamas on October 06, 2015, 10:15:24 AM
Evol USAHitlers

(https://languish.org/forums/proxy.php?request=http%3A%2F%2Fwww.quickmeme.com%2Fimg%2Fbe%2Fbe31187849ca29cd642b9e545b29b7c45b140f9afedf16861b6dd5fa510b1649.jpg&hash=f8fc7633f790ca558772007dc7f9f48765759bd3)

More spying at home, less spying abroad, please.

It's based on a false finding of facts, namely that US law permits public authorities  to  have  access  on  a
generalized basis to the content of electronic communications.

That claim is repeated several times.

I bet there's a court in Andorra  that is even higher than CJEU.

Here, you can have all my personal data for free: 14 inches.

Quote from: Valmy on October 06, 2015, 08:41:10 AM
Due to its confederation nature, state's rights prevail. Mew.

Good, that means no Civil War for the foreseeable future ;)

Quote from: The Minsky Moment on October 06, 2015, 11:26:56 AM
It's based on a false finding of facts, namely that US law permits public authorities  to  have  access  on  a
generalized basis to the content of electronic communications.

That claim is repeated several times.

It's a European court.  Facts must cede pride of place to politics.

Quote from: Brezel on October 06, 2015, 12:45:12 PM
I bet there's a court in Andorra  that is even higher than CJEU.

I'm sure there is some court in some Swiss Alpine valley that is even higher than any in Andorra.  Andorra's capital is only at 1,023 metres.

Quote from: grumbler on October 06, 2015, 02:19:32 PM

Quote from: The Minsky Moment on October 06, 2015, 11:26:56 AM
It's based on a false finding of facts, namely that US law permits public authorities  to  have  access  on  a
generalized basis to the content of electronic communications.

That claim is repeated several times.

It's a European court.  Facts must cede pride of place to politics.

It's actually one of the most rigorous and well-respected courts on the face of the Earth. But sure, go ahead and spout your racist nonsense.

Grumbler is racist against white people?  :hmm:

The ECJ is well-respected, but like all human institutions, prone to fallibility.

The decision presents certain peculiarities from the POV of a common law lawyer.  It states that the case before it is a request for a preliminary ruling, which I understand to be a request from a national level court for a ruling or interpretation of European law.  That much is understandable and has parallels I am familiar with, although in the US it is almost always the other way around - a national level court certifying an issue of state law to a state court.

In the US context, however, such requests are always seeking opinions of law - matters of fact finding remain with the court originating the request, for reasons I think both obvious and sound.

The request in the ECJ decision appears to relate to validity of a decision of the Commission - namely one that among other things, certified that the US provided adequate protection for personal data.  But the ECJ does not appear to confine itself to a purely legal view of the Decision, but makes findings that it is unsupportable in reference to certain alleged facts.  At the same time, it doesn't indicate a basis or source for all the facts it relies on - most notably the claim concerning US "legislation" that authorized general collection.  Usually when a court refers to "legislation" as a basis for ruling, there is a citation is that legislation, even if foreign law.  That doesn't occur though, presumably because the US legislation in question doesn't exist. 

There are things in the ECJ decision that seem sound.  It identifies correctly the weakness in the inability of affected persons to challenge or contest FISA rulings.  It's a problem (albeit one for decades without much European complaint) and IMO an affront to US constitutional principles as well as European ones.  I would like to see that change.    Whether that deficiency is in itself sufficient basis as a matter of European law to overturn the Commission's finding of adequate protection I cannot say.

Quote from: The Minsky Moment on October 06, 2015, 05:43:38 PM
The ECJ is well-respected, but like all human institutions, prone to fallibility.

The decision presents certain peculiarities from the POV of a common law lawyer.  It states that the case before it is a request for a preliminary ruling, which I understand to be a request from a national level court for a ruling or interpretation of European law.  That much is understandable and has parallels I am familiar with, although in the US it is almost always the other way around - a national level court certifying an issue of state law to a state court.

In the US context, however, such requests are always seeking opinions of law - matters of fact finding remain with the court originating the request, for reasons I think both obvious and sound.

The request in the ECJ decision appears to relate to validity of a decision of the Commission - namely one that among other things, certified that the US provided adequate protection for personal data.  But the ECJ does not appear to confine itself to a purely legal view of the Decision, but makes findings that it is unsupportable in reference to certain alleged facts.  At the same time, it doesn't indicate a basis or source for all the facts it relies on - most notably the claim concerning US "legislation" that authorized general collection.  Usually when a court refers to "legislation" as a basis for ruling, there is a citation is that legislation, even if foreign law.  That doesn't occur though, presumably because the US legislation in question doesn't exist. 

There are things in the ECJ decision that seem sound.  It identifies correctly the weakness in the inability of affected persons to challenge or contest FISA rulings.  It's a problem (albeit one for decades without much European complaint) and IMO an affront to US constitutional principles as well as European ones.  I would like to see that change.    Whether that deficiency is in itself sufficient basis as a matter of European law to overturn the Commission's finding of adequate protection I cannot say.

I admit I have not studied the ruling in detail yet (and am generally not a constitutional lawyer), but I understand that the peculiarity you mention may have something to do with a peculiar nature of the safe habour decision in the first place - i.e. that it was a decision of the European Commission that established a presumption of fact (namely that the US is deemed to be a permitted transferee when it comes to sharing of personal data of Europeans, under the legislation that permits sharing data with countries which ensure comparable protection to that of the EU law).

The ECJ is the only court within the EU capable of striking down the decision, as national courts cannot rule on acts and decisions of the EU law - and in fact a lot of its rulings concern finding on facts and striking down the Commission's decisions (for example, in antitrust or state aid cases).

So I guess the only unusual part is that this ruling came through a preliminary ruling procedure.

I guess some confusion for Americans (and I am not talking about you, Minsky, but grumbler etc.) may come from the fact that the ECJ (and its lower court, the Court of First Instance) is not in fact the EU's highest court in the same sense the Supreme Court of the US is.

It has a dual role and it is that of (1) "constitutional" court of the EU which finds out about various legal acts of the EU being consistent with the higher level EU legislations (and in this case it cannot really find on facts), but also that of (2) "normal" appeal court for decisions of the EU commission (in which case it acts like an ordinary appellate court, that can find on facts).

Quote from: Martinus on October 06, 2015, 11:51:40 PM

Quote from: The Minsky Moment on October 06, 2015, 05:43:38 PM
The ECJ is well-respected, but like all human institutions, prone to fallibility.

The decision presents certain peculiarities from the POV of a common law lawyer.  It states that the case before it is a request for a preliminary ruling, which I understand to be a request from a national level court for a ruling or interpretation of European law.  That much is understandable and has parallels I am familiar with, although in the US it is almost always the other way around - a national level court certifying an issue of state law to a state court.

In the US context, however, such requests are always seeking opinions of law - matters of fact finding remain with the court originating the request, for reasons I think both obvious and sound.

The request in the ECJ decision appears to relate to validity of a decision of the Commission - namely one that among other things, certified that the US provided adequate protection for personal data.  But the ECJ does not appear to confine itself to a purely legal view of the Decision, but makes findings that it is unsupportable in reference to certain alleged facts.  At the same time, it doesn't indicate a basis or source for all the facts it relies on - most notably the claim concerning US "legislation" that authorized general collection.  Usually when a court refers to "legislation" as a basis for ruling, there is a citation is that legislation, even if foreign law.  That doesn't occur though, presumably because the US legislation in question doesn't exist. 

There are things in the ECJ decision that seem sound.  It identifies correctly the weakness in the inability of affected persons to challenge or contest FISA rulings.  It's a problem (albeit one for decades without much European complaint) and IMO an affront to US constitutional principles as well as European ones.  I would like to see that change.    Whether that deficiency is in itself sufficient basis as a matter of European law to overturn the Commission's finding of adequate protection I cannot say.

I admit I have not studied the ruling in detail yet

But you didn't let that stop you from drawing a conclusion, of course.

 :rolleyes:

Quote from: grumbler on October 06, 2015, 02:19:32 PM

Quote from: The Minsky Moment on October 06, 2015, 11:26:56 AM
It's based on a false finding of facts, namely that US law permits public authorities  to  have  access  on  a
generalized basis to the content of electronic communications.

That claim is repeated several times.

It's a European court.  Facts must cede pride of place to politics.

I guess they actually decided based on facts, namely that your intelligence agencies are lawless and don't even adhere to the spirit of the US constitution or actual US legislation. So in a way you are right, it was a decision following politics, not written law. Because the written law has no relation to reality. When a state like the US no longer applies its own laws, an agreement like Safe Harbour with such a state becomes worthless a nd does not protect EU citizens.

Edit: To make it more concise: The highest court of the EU just said that the US government is no longer a trustworthy partner. That's just the price for indiscriminate spying on everyone. I guess you have to decide whether it is worth that.

Our intelligence agencies have laws.  They just don't protect foreign governments.

Quote from: Razgovory on October 07, 2015, 05:12:40 PM
Our intelligence agencies have laws.  They just don't protect foreign governments.

Foreign governments aren't at issue here.  Foreign individuals are.  The laws do protect such individuals because they put limitations on how and what information can be collected, and while there is more limitations vis-à-vis US citizens, authority is not unlimited as to foreign individuals.

Quote from: Zanza on October 07, 2015, 04:48:01 PM
I guess they actually decided based on facts, namely that your intelligence agencies are lawless and don't even adhere to the spirit of the US constitution or actual US legislation.

The only incident I'm aware of for which that claim could be made was the bulk metadata collection.  I'd agree that was lawless (although in fairness it's complicated enough that at least one appeals court with some pretty smart judges on found otherwise).

The bulk metadata program is being shut down and was not the basis of he ECJ decision.

The ECJ decision is based on:
(1) the fact that US intelligence agencies complying with the law can and do collect extensive data concerning foreign persons suspected of terrorist activities without a formal warrant, which can also include the of data of other (potentially innocent) persons who  communicated with the target.
(2) the fiction/misunderstanding that there is some other program out there ("PRISM" or some other acronym) under which US agencies have generalized access to electronic communications.

Quote from: The Minsky Moment on October 07, 2015, 05:51:09 PM
(2) the fiction/misunderstanding that there is some other program out there ("PRISM" or some other acronym) under which US agencies have generalized access to electronic communications.

:lol:

Ok, so having now read the ruling it does not seem to hinge on the consideration of facts about whether the US in fact provides sufficient data protection.

The crux of the ruling is that the Commission had no authority to issue a safe harbour decision which would have the effect of preventing national courts from being able to examine, on their own, the facts of the case as to whether the US provides sufficient protection to data - in other words, the ECJ has ruled that this is a matter for national courts to decide when applying the data protection law.

So I guess we are discussing a straw man.

Quote from: The Minsky Moment on October 06, 2015, 11:26:56 AM
It's based on a false finding of facts, namely that US law permits public authorities  to  have  access  on  a
generalized basis to the content of electronic communications.

That claim is repeated several times.

Where is the claim repeated? In the actual ruling or press coverage of it?

This is what the plaintiff claimed by lodging the complaint with the Irish court. The Irish court asked a preliminary question to the ECJ whether it is entitled to review that complaint, in light of the Commission's safe harbour decision that says the US system is kosher. The ECJ simply stated that the safe harbour decision is illegal, as the Commission does not have power to preclude a national court from making such a determination based on its own consideration of facts.

So wait, is this really the case of the journalist misunderstanding the ruling, Minsky misunderstanding the article and then a bunch of ignorant blowhards going on a tirade about "stupid EU courts"?

Quote from: The Minsky Moment on October 07, 2015, 05:51:09 PM

Quote from: Zanza on October 07, 2015, 04:48:01 PM
I guess they actually decided based on facts, namely that your intelligence agencies are lawless and don't even adhere to the spirit of the US constitution or actual US legislation.

The only incident I'm aware of for which that claim could be made was the bulk metadata collection.  I'd agree that was lawless (although in fairness it's complicated enough that at least one appeals court with some pretty smart judges on found otherwise).

The bulk metadata program is being shut down and was not the basis of he ECJ decision.

The ECJ decision is based on:
(1) the fact that US intelligence agencies complying with the law can and do collect extensive data concerning foreign persons suspected of terrorist activities without a formal warrant, which can also include the of data of other (potentially innocent) persons who  communicated with the target.
(2) the fiction/misunderstanding that there is some other program out there ("PRISM" or some other acronym) under which US agencies have generalized access to electronic communications.

Quote from: Zanza on October 08, 2015, 04:24:19 AM

Quote from: The Minsky Moment on October 07, 2015, 05:51:09 PM
(2) the fiction/misunderstanding that there is some other program out there ("PRISM" or some other acronym) under which US agencies have generalized access to electronic communications.

:lol:

I interpreted that not as a statement that PRISM doesn't exist (because it clearly does), but that what role it actually performs is being misinterpreted.

And Minsky, where do you get that bulk metadata collection is being shut down?  It expired, but was reauthorized soon afterward.

Quote from: Martinus on October 08, 2015, 05:03:53 AM
So wait, is this really the case of the journalist misunderstanding the ruling, Minsky misunderstanding the article and then a bunch of ignorant blowhards going on a tirade about "stupid EU courts"?

:lmfao:

Pot, meet kettle.

Quote from: Martinus on October 08, 2015, 04:58:10 AM
The crux of the ruling is that the Commission had no authority to issue a safe harbour decision which would have the effect of preventing national courts from being able to examine, on their own, the facts of the case as to whether the US provides sufficient protection to data - in other words, the ECJ has ruled that this is a matter for national courts to decide when applying the data protection law.

The ruling goes further than that.

Quote85      In this connection, Decision 2000/520 states in Part B of Annex IV, with regard to the limits to which the safe harbour principles' applicability is subject, that, '[c]learly, where US law imposes a conflicting obligation, US organisations whether in the safe harbour or not must comply with the law'.

86      Thus, Decision 2000/520 lays down that 'national security, public interest, or law enforcement requirements' have primacy over the safe harbour principles, primacy pursuant to which self-certified United States organisations receiving personal data from the European Union are bound to disregard those principles without limitation where they conflict with those requirements and therefore prove incompatible with them.

87      In the light of the general nature of the derogation set out in the fourth paragraph of Annex I to Decision 2000/520, that decision thus enables interference, founded on national security and public interest requirements or on domestic legislation of the United States, with the fundamental rights of the persons whose personal data is or could be transferred from the European Union to the United States. To establish the existence of an interference with the fundamental right to respect for private life, it does not matter whether the information in question relating to private life is sensitive or whether the persons concerned have suffered any adverse consequences on account of that interference (judgment in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 33 and the case-law cited).

...

96      As has been found in particular in paragraphs 71, 73 and 74 of the present judgment, in order for the Commission to adopt a decision pursuant to Article 25(6) of Directive 95/46, it must find, duly stating reasons, that the third country concerned in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order, a level that is apparent in particular from the preceding paragraphs of the present judgment.

97      However, the Commission did not state, in Decision 2000/520, that the United States in fact 'ensures' an adequate level of protection by reason of its domestic law or its international commitments.

98      Consequently, without there being any need to examine the content of the safe harbour principles, it is to be concluded that Article 1 of Decision 2000/520 fails to comply with the requirements laid down in Article 25(6) of Directive 95/46, read in the light of the Charter, and that it is accordingly invalid.

http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=245638

Quote from: The Minsky Moment on October 06, 2015, 05:43:38 PM
The ECJ is well-respected,

How is the judicial branch of a phantom government that only sometimes has the will and power to enforce it's laws respected?

Quote from: ulmont on October 08, 2015, 09:29:55 AM

Quote from: Martinus on October 08, 2015, 04:58:10 AM
The crux of the ruling is that the Commission had no authority to issue a safe harbour decision which would have the effect of preventing national courts from being able to examine, on their own, the facts of the case as to whether the US provides sufficient protection to data - in other words, the ECJ has ruled that this is a matter for national courts to decide when applying the data protection law.

The ruling goes further than that.

Quote85      In this connection, Decision 2000/520 states in Part B of Annex IV, with regard to the limits to which the safe harbour principles' applicability is subject, that, '[c]learly, where US law imposes a conflicting obligation, US organisations whether in the safe harbour or not must comply with the law'.

86      Thus, Decision 2000/520 lays down that 'national security, public interest, or law enforcement requirements' have primacy over the safe harbour principles, primacy pursuant to which self-certified United States organisations receiving personal data from the European Union are bound to disregard those principles without limitation where they conflict with those requirements and therefore prove incompatible with them.

87      In the light of the general nature of the derogation set out in the fourth paragraph of Annex I to Decision 2000/520, that decision thus enables interference, founded on national security and public interest requirements or on domestic legislation of the United States, with the fundamental rights of the persons whose personal data is or could be transferred from the European Union to the United States. To establish the existence of an interference with the fundamental right to respect for private life, it does not matter whether the information in question relating to private life is sensitive or whether the persons concerned have suffered any adverse consequences on account of that interference (judgment in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 33 and the case-law cited).

...

96      As has been found in particular in paragraphs 71, 73 and 74 of the present judgment, in order for the Commission to adopt a decision pursuant to Article 25(6) of Directive 95/46, it must find, duly stating reasons, that the third country concerned in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order, a level that is apparent in particular from the preceding paragraphs of the present judgment.

97      However, the Commission did not state, in Decision 2000/520, that the United States in fact 'ensures' an adequate level of protection by reason of its domestic law or its international commitments.

98      Consequently, without there being any need to examine the content of the safe harbour principles, it is to be concluded that Article 1 of Decision 2000/520 fails to comply with the requirements laid down in Article 25(6) of Directive 95/46, read in the light of the Charter, and that it is accordingly invalid.

http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=245638

I may be misreading these paragraphs, but they seem to me to focus on the formal side of the decision and not, as Minsky implied, on the factual analysis as to whether the American system is in fact providing appropriate protection of personal data.

The ruling challenges the decision because:
- it itself includes a possibility of derogation, thus providing insufficient protection to interests of EU citizens; and
- it does not include suitable reasoning as to why the American system can benefit from the safe harbour principles - it simply asserts that it does. 

Quote from: The Minsky Moment on October 07, 2015, 05:40:36 PM

Quote from: Razgovory on October 07, 2015, 05:12:40 PM
Our intelligence agencies have laws.  They just don't protect foreign governments.

Foreign governments aren't at issue here.  Foreign individuals are.  The laws do protect such individuals because they put limitations on how and what information can be collected, and while there is more limitations vis-à-vis US citizens, authority is not unlimited as to foreign individuals.

What protections that Saudi citizens should enjoy in their own countries under the US Constitution are the Germans so unhappy about?

Quote from: Zanza on October 08, 2015, 04:24:19 AM

Quote from: The Minsky Moment on October 07, 2015, 05:51:09 PM
(2) the fiction/misunderstanding that there is some other program out there ("PRISM" or some other acronym) under which US agencies have generalized access to electronic communications.

:lol:

This is the problem.
Perhaps the NSA is to blame for the atmosphere where negative assumptions are made
But in courts usually affirmative evidence must be presented.

Quote from: DontSayBanana on October 08, 2015, 07:40:10 AM
And Minsky, where do you get that bulk metadata collection is being shut down?  It expired, but was reauthorized soon afterward.

IIRC it was only reauthorized temporarily for transitional purposes.
FWIW I never thought that program was such a big deal.
The bigger problem has always been the hide-the-ball nature of the FISA process and the apparent lack of serious review by the FISA court - but those problems date back to the 1970s.  Just no one aside from a couple ACLU activists seemed to care until Failed NSA Celebrity Apprentice fled to HK and revealed all the creepy-sounding bureaucratic acronyms.

Quote from: Berkut on October 07, 2015, 12:20:58 PM
But you didn't let that stop you from drawing a conclusion, of course.

And for leaping on an obviously tongue-in-cheek comment as "racist" (of all things).  Racist?  :lol:

Then, Marti isn't known as the sharpest tool in the Languish shed.

Quote from: Martinus on October 08, 2015, 05:00:38 AM
Where is the claim repeated? In the actual ruling or press coverage of it?

In the ruling.  Only press coverage I read was in the FT and said nothing about this.  In the ruling I count 3 instances:

Quote
34 . . .The right to respect for private life, guaranteed by Article 7 of the Charter and by the core values common to the traditions of the Member States, would be rendered meaningless if the State authorities were authorised to access electronic communications on a casual and generalised basis . . .
93. Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made . . .
94 In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life

QuoteThe ECJ simply stated that the safe harbour decision is illegal, as the Commission does not have power to preclude a national court from making such a determination based on its own consideration of facts.

I didn't read it as limited in that way. It's true that the court seems to take the position in Para 66 that a national authority can "examine a claim" that there was a transfer of data without sufficient protection even though there is a Commission decision stating that the transferee country offers adequate protection.  But I read that in light of Paras 62 and 65 is being a procedural ruling - i.e the national authority can examine the claim as a preliminary matter, but if it determines there is valid basis, it can't grant relief without making a reference to the ECJ to challenge the validity of the Commission decision.

That reading appears to be confirmed in Para 67, where the ECJ states that in light of what it just said, " it should be examined whether [Decision 2000/520] complies with the requirements stemming from Directive 95/46 read in the light of the Charter" - i.e. the ECJ appears to saying it is ruling on the validity of the Decision in light of EU legislation and the Charter.  As far as I can tell, that is exactly what the the ECJ appears to do in rest of the text, culminating in the finding in Para 98 that Decision 2000/520 is invalid under EU law because - as per Para 96-97 and the earlier paras the Commission didn't have a proper basis to find an adequate level of protection.  It is the factual basis of that finding that I have been questioning here.