The highly influential advisor to Europe’s top court has delivered his stunning verdict on the validity of the data sharing agreement between the EU and US.
And it may not be good news for Facebook, Google and other tech firms who are sometimes required to share their European data with American intelligence and law enforcement agencies.
The Advocate General Yves Bot has this morning told Europe’s top court, the European Court of Justice (ECJ), that the existing data sharing deal between the US and Europe is invalid and that members states can suspend data sharing with the US.
It should be noted that the ECJ has yet to make an official ruling on the so called Safe Harbour data sharing agreement, and the judges are not bound by Bot’s opinion, but they tend to follow it in most cases.
The current Safe Harbour deal has been in place since 2000, and effectively allows US firms such as Google and Facebook to collect data on their European users, as long as certain principles around storage and security are upheld. But Facebook and others have (albeit reluctantly) shared the data of EU citizens with American intelligence agencies such as the National Security Agency (NSA), when it requests the data.
The ECJ is currently considering the issue because of the case brought by Austrian lawyer Max Schrems.
He began his Europe-v-Facebook campaign in late 2012 with the Irish data protection watchdog. In his complaint, he argued that the Edward Snowden disclosures show there is no effective data protection regime in the United States.
The case progressed to the Irish High Court, but it then referred the decision about the snooping activities of the NSA up the ladder to the ECJ.
The case went before the ECJ in March and now the ECJ Advocate General has given his opinion as to whether the data-sharing deal is still legally binding in light of the mass surveillance allegations by the US.
Advocate General Yves Bot focused on the fact that back in July 2000, the European Commission ruled that under the current ‘safe harbour’ scheme, the US did have an adequate level of data protection safeguards.
Advocate General Yves Bot takes the view that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the national supervisory authorities’ powers under the directive on the processing of personal data. He considers furthermore that the Commission decision is invalid.
A statement from the Court of Justice of the European Union read: “The Advocate General thus draws the conclusion that, if a national supervisory authority considers that a transfer of data undermines the protection of citizens of the EU as regards the processing of their data, it has the power to suspend that transfer, irrespective of the general assessment made by the Commission in its decision.
“Where systemic deficiencies are found in the third country to which the personal data is transferred, the Member States must be able to take the measures necessary to safeguard the fundamental rights protected by the Charter of Fundamental Rights of the EU, which include the right to respect for private and family life and the right to the protection of personal data.
“It is apparent from the findings of the High Court of Ireland and of the Commission itself that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection.
“The Advocate General considers furthermore that the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data.”
The stunning verdict by Advocate General Bot could spell massive trouble for many US tech firms, especially if the ECJ eventually rules against the agreement.
The business practices of Google, Facebook, Microsoft and others could be significantly impacted, as it would likely make the transferring European data to the US much more difficult. Indeed, it could mean that tech firms have to duplicate their American infrastructure by constructing additional data centres in Europe, in order to keep European data on European soil.
Last year, Europe’s top data protection official, Peter Hustinx, said that European citizens need to be better shielded from the snooping and spying activities from the likes of the NSA and Britain’s GCHQ.
The EU is currently reviewing its Safe Harbour agreement with the United States, and is negotiating with Washington. In May it was revealed those negotiations are very close to completion.
Following the NSA spying revelations. Where do you store your data?