An ECJ advocate general issued an opinion this morning (23 September) calling the EU-US Safe Harbour data sharing agreement legally invalid.
French ECJ top legal advisor Yves Bot said in his conclusions that “the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection”.
Bot’s opinion is not binding and comes ahead of a final ECJ decision on the Safe Harbour agreement expected later this year. ECJ decisions often follow advocate generals’ opinions.
The case refers to 27-year-old Austrian activist Max Schrems’ complaint against Facebook for transferring his data to the US. Schrems, then a law student when he filed the complaint, argued that data protection in the US is not adequate following revelations about American companies’ information sharing with the NSA.
Bot argued that the Commission should have suspended the agreement after Edward Snowden’s revelations about US intelligence agencies’ mass collection of communications.
“The access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the Charter,” Bot said in his opinion.
Originally dismissed by the Irish data protection Commissioner, which cited the validity of Safe Harbour, the Irish High Court referred Schrems’ case to the ECJ in 2014. The Irish commissioner is in charge of privacy complaints against Facebook, which has its European base in Ireland.
Bot’s opinion called for the Irish watchdog to take up the investigation of Schrems’ case again.
The ECJ advocate general also said national data protection authorities can restrict data transfers outside of Europe if they find data protection in that country to be inadequate.
Schrems’ case prompted the European Commission to admit to the ECJ this March that the Safe Harbour agreement with the US doesn’t provide adequate protection of user data. The agreement allows companies to transfer data from Europe to the US if they vouch for adequate privacy protection.
John Higgins, director general of technology industry association DigitalEurope, said the advocate general’s opinion was cause for concern for companies. DigitalEurope’s members include Microsoft, Google, Apple and a number of other large multinational firms.
“In addition to the disruption a Court ruling would have on international data flows, it would also frustrate the creation of the Digital Single Market in Europe because it would fragment Europe’s approach to data flows out of the EU,” Higgins said.
Schrems also predicted negative effects for the US technology industry if the ECJ follows Bot’s opinion.
“The approach the advocate general has proposed is balanced and protects the fundamental rights of the users and the free flow of data. I am sure lobby groups will again predict the ‘end of the internet’. In fact this case only addresses outsourcing of data from a European to a US company if the data is shared for mass surveillance,” Schrems said following the publication of Bot’s opinion.
The current data protection directive allows for a limited flow of data outside of Safe Harbour that is not subject to review by EU authorities.
>>Read: Safe Harbour deal held up by US
Negotiations between the Commission and US officials on a new Safe Harbour deal have been ongoing for almost two years.
German MEP Jan Philipp Albrecht (Greens) said of Bot’s opinion, “It is unacceptable that the European Commission has ignored this demand for a year and a half. It is now time for the Commission to finally suspend ‘Safe Harbor’.”
Albrecht is parliament rapporteur for the ongoing negotiations on the EU general data protection regulation (GDPR).
The Commission set out 13 recommendations for improving the agreement in 2013.
But a new Safe Harbour has been held up, most recently by disagreements over provisions on data sharing with US law enforcement.
The Commission will be bound to the upcoming ECJ decision in drafting a new Safe Harbour agreement, which will affect companies including Facebook, Google, Apple and others that transfer Europeans’ data to the US to be processed or stored.
The Facebook case has made Schrems a prominent figure in current privacy debates surrounding Safe Harbour and the upcoming GDPR.
Yesterday (22 September), he moderated a discussion in the European Parliament with MEPs and Commission negotiators of regulation, expected to be approved by the end of this year.
Schrems’ legal fees have been bankrolled by donations topping €60,000.
In a statement on Wednesday, Schrems thanked Edward Snowden and journalists Glenn Greenwald and Laura Poitras, who published the whistleblower’s leaks on US and other intelligence agencies.
“Without their work and the donations of more than 2000 people, this issue would not be before the EU’s top court today,” he said.
>>Read: Council approves data protection reform
Positions
Austrian S&D MEP Josef Weidenholzer: "It's an important signal that an ECJ general advocate considers this invalid. European law applies to European data. 'Safe Harbour's' time is over."
Joe McNamee, executive director of NGO European Digital Rights: "If confimed by the full Court, this is a very important step first step for the right to privacy in Europe. What happens next is crucial. It must never again happen, like in this case, like in the case of the Data Retention Directive, that obduracy from the Commission can keep agreements in force that are patently illegal."
Agustin Reyna, senior legal officer of the European Consumer Organisation (BEUC): "We hope the European Court of Justice will follow this line and stop the mass-circumvention of EU data protection rules. We welcome the Advocate General’s point of view that national data protection authorities have the responsibility to investigate infringements committed by foreign companies under Safe Harbour. The European Commission, which is currently renegotiating Safe Harbour, received today a clear message that the transfer of European citizens’ data cannot be based on self-assessment by US companies.”
Antony Walker, deputy CEO of British industry association techUK: "Disruption to international data flows could hurt the UK’s digital economy. The approach that Europe takes to how data flows in and out of the EU will impact the global ambitions of data-driven companies in the UK and right across Europe. Thousands of companies, employing tens of thousands of people in the UK alone, rely upon Safe Harbour every day, for example to move HR data between their European and US operations.”
Background
Existing European rules on data protection were adopted in 1995, when the Internet was still in its infancy.
In January 2012, the European Commission published a vast legislative package aimed at replacing the existing rules and giving greater protection to personal data across the EU.
The package includes two legislative proposals: one general regulation on data protection (directly applicable in all the member states) and one directive specifically aimed at data protection in the police and the justice systems (to be transposed into national law).
Since then, the data protection debate took a new twist with revelations about US eavesdropping activities.
Whistleblower Edward Snowden revealed in 2013 that the NSA had secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called Prism.
European politicians reacted angrily to the news and called for stricter measures to ensure privacy.