An ECJ advocate general issued an opinion this morning (23 September) calling the EU-US Safe Harbour data sharing agreement legally invalid.
French ECJ top legal advisor Yves Bot said in his conclusions that “the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection”.
Bot’s opinion is not binding and comes ahead of a final ECJ decision on the Safe Harbour agreement expected later this year. ECJ decisions often follow advocate generals’ opinions.
The case refers to 27-year-old Austrian activist Max Schrems’ complaint against Facebook for transferring his data to the US. Schrems, then a law student when he filed the complaint, argued that data protection in the US is not adequate following revelations about American companies’ information sharing with the NSA.
Bot argued that the Commission should have suspended the agreement after Edward Snowden’s revelations about US intelligence agencies’ mass collection of communications.
“The access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the Charter,” Bot said in his opinion.
Originally dismissed by the Irish data protection Commissioner, which cited the validity of Safe Harbour, the Irish High Court referred Schrems’ case to the ECJ in 2014. The Irish commissioner is in charge of privacy complaints against Facebook, which has its European base in Ireland.
Bot’s opinion called for the Irish watchdog to take up the investigation of Schrems’ case again.
The ECJ advocate general also said national data protection authorities can restrict data transfers outside of Europe if they find data protection in that country to be inadequate.
Schrems’ case prompted the European Commission to admit to the ECJ this March that the Safe Harbour agreement with the US doesn’t provide adequate protection of user data. The agreement allows companies to transfer data from Europe to the US if they vouch for adequate privacy protection.
John Higgins, director general of technology industry association DigitalEurope, said the advocate general’s opinion was cause for concern for companies. DigitalEurope’s members include Microsoft, Google, Apple and a number of other large multinational firms.
“In addition to the disruption a Court ruling would have on international data flows, it would also frustrate the creation of the Digital Single Market in Europe because it would fragment Europe’s approach to data flows out of the EU,” Higgins said.
Schrems also predicted negative effects for the US technology industry if the ECJ follows Bot’s opinion.
“The approach the advocate general has proposed is balanced and protects the fundamental rights of the users and the free flow of data. I am sure lobby groups will again predict the ‘end of the internet’. In fact this case only addresses outsourcing of data from a European to a US company if the data is shared for mass surveillance,” Schrems said following the publication of Bot’s opinion.
The current data protection directive allows for a limited flow of data outside of Safe Harbour that is not subject to review by EU authorities.
>>Read: Safe Harbour deal held up by US
Negotiations between the Commission and US officials on a new Safe Harbour deal have been ongoing for almost two years.
German MEP Jan Philipp Albrecht (Greens) said of Bot’s opinion, “It is unacceptable that the European Commission has ignored this demand for a year and a half. It is now time for the Commission to finally suspend ‘Safe Harbor’.”
Albrecht is parliament rapporteur for the ongoing negotiations on the EU general data protection regulation (GDPR).
The Commission set out 13 recommendations for improving the agreement in 2013.
But a new Safe Harbour has been held up, most recently by disagreements over provisions on data sharing with US law enforcement.
The Commission will be bound to the upcoming ECJ decision in drafting a new Safe Harbour agreement, which will affect companies including Facebook, Google, Apple and others that transfer Europeans’ data to the US to be processed or stored.
The Facebook case has made Schrems a prominent figure in current privacy debates surrounding Safe Harbour and the upcoming GDPR.
Yesterday (22 September), he moderated a discussion in the European Parliament with MEPs and Commission negotiators of regulation, expected to be approved by the end of this year.
Schrems’ legal fees have been bankrolled by donations topping €60,000.
In a statement on Wednesday, Schrems thanked Edward Snowden and journalists Glenn Greenwald and Laura Poitras, who published the whistleblower’s leaks on US and other intelligence agencies.
“Without their work and the donations of more than 2000 people, this issue would not be before the EU’s top court today,” he said.
>>Read: Council approves data protection reform