A major data-sharing deal between the EU and US is ‘invalid’ given the spying revelations in the Edward Snowden scandal, the top EU court’s main legal advisor said Wednesday in a case brought against Facebook.
The case stems from a complaint against Facebook lodged at Ireland’s data protection authority by Austrian right-to-privacy activist and law student Max Schrems.
The complaint focused on a landmark deal reached by the European Commission with Washington 15 years ago that allows thousands of businesses operating in the EU to send the private data of Europeans to servers in the US.
That 2000 data sharing deal, known as Safe Harbour, “is invalid”, said the advocate general’s recommendation.
The Irish Data Protection Commission, which oversees compliance of privacy law in Ireland, had argued that Safe Harbour sufficiently protected Europeans.
But in a strong-worded opinion, the court’s advisor Yves Bot singled out the US government for the “large scale” hoarding of European citizens private data.
Accordingly, Bot said EU member states such as Ireland have the power to probe and even suspend the transfer of information with the United States when the privacy of European citizens is undermined.
The case centred on Ireland where major US web giants including Facebook and Apple have set up headquarters to take advantage of tax laws.
The case now goes to the court for a final ruling in about six months, but judges rarely contradict the findings of their legal advisor.
Schrems, who says he remains a fan of Facebook, welcomed the opinion in a tweet.
“Yay! … Safe Harbour is invalid,” he said, adding that Ireland’s data protection authority now “has a duty to investigate” US data privacy practices.
Schrems argues Safe Harbour, which largely depends on the goodwill of US authorities, is too weak to guarantee the privacy of European residents and the advocate general overwhelmingly backed the accusations.
“Where systemic deficiencies are found in the third country to which the personal data is transferred, the Member States must be able to take the measures necessary to safeguard their fundamental rights,” the EU court statement said.
The evidence leaked by Snowden showed that “the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection,” it said.
Schrems is fighting the social network on several fronts in what his supporters see as a fight of a European David against a Silicon Valley Goliath.
In July, an Austrian court rejected a class action case brought by Schrems and 25,000 other Facebook users, citing a lack of sufficient legal grounds.
A lobby for digital companies operating in Europe warned that the court could severely disrupt the growth of the digital economy on the continent.
Safe Harbour “is used by about 4,500 companies to transfer a wide range of commercial data such as payroll and customer data,” DIGITALEUROPE said in a statement.
Similar deals “that underpin data transfers to many third countries may also be impacted if the Court follows the Opinion of its Advocate General,” it said.
Snowden’s revelations showed that the US National Security Agency used Silicon Valley giants Apple, Google and Facebook to gather user data.
In the wake of the scandal, the EU and Washington began talks to revamp “Safe Harbour” and Wednesday’s opinion will certainly complicate those talks.
The commission, the EU’s executive arm, refused to comment on the case saying the talks to reform Safe Harbour were still on track.
“The Commission has been working tirelessly with the US on the final details of a deal in the last weeks and we are confident that we can reach a positive conclusion soon,” commission spokesman Christian Wigand said in an email to AFP.