The top advisor to the European Court of Justice (ECJ) has said the current agreement between the EU and US is not worth the paper it’s written on .
Advocate General Yves Bot’s opinion on the so-called Facebook vs Europe case is not legally binding, but the court’s final ruling almost always follows his advice.
The case was brought by “Angry Austrian” Max Schrems who complained to the Irish Data Commissioner that Facebook had passed his personal data on to the US National Security Agency in breach of his data protection rights. The Irish data protection authorities (DPA) refused to investigate on the grounds that Facebook is signed up to the so-called safe harbour agreement.
Today’s opinion puts the whole safe harbour arrangement in jeopardy. Sixteen years ago, the EU and US set up the arrangement to allow personal data to be transferred to the US jurisdiction, despite it not have sufficient privacy laws to qualify for EU adequacy.
Following revelations by whistleblower in chief Edward Snowden, the European Parliament calling for the safe harbour programme to be suspended. However the EU executive, the European Commission, was reluctant to do so and instead pinned its hopes on renegotiating the terms of the agreement.
“The agreement has been kept alive by the European Commission's refusal to accept the ever-growing mountain of evidence of the inadequacy of the agreement,” said Joe McNamee Executive Director of digital rights group EDRi. Bot’s opinion was was postponed in June amid speculation that the Commission was playing for time to reach a new deal with the US.
In the Advocate General’s opinion he points out the fact that the Commission is currently negotiating with the US to sort out shortcomings in the agreement, means that the Commish is aware that it is no longer “adapted to reality” and should have been suspended.
But there are huge reasons why the Commission might not want to suspend the agreement. Business between the EU and US could potentially grind to a standstill if data cannot be transferred. If Court follows Bot’s opinion and finds the safe harbour agreement unfit for purpose, it would have huge implications for companies like Facebook, Apple, Google, Yahoo, Skype, Microsoft et al, who currently rely on the voluntary Safe Harbour code of conduct which is then legally enforced by the Federal Trade Commission.
Jan Philipp Albrecht, who is the European Parliament's man in charge of the reform of EU data protection rules, said: "The advocate general has today made clear that the transfer of EU citizens' private data to the US by Facebook is at odds with EU law. This welcome finding must provoke an immediate response by the relevant authorities in Europe. The Irish data protection commissioner must immediately move to prevent any further data transfers to the US by Facebook, which operates under Irish jurisdiction.”
Naturally the business community is extremely worried. “We are concerned about the potential disruption to international data flows if the Court follows today’s Opinion,” said John Higgins, Director General of DigitalEurope. “In addition to the disruption a Court ruling would have on international data flows, it would also frustrate the creation of the Digital Single Market in Europe because it would fragment Europe’s approach to data flows out of the EU,” said Higgins
“Access welcomes today’s opinion which brings the Safe Harbor mechanism under increased scrutiny; the present system fails to protect the rights of users and must be urgently reformed,” said Estelle Massé, Policy Analyst at Access.
“This case reinforces the urgent need for surveillance reform globally. The US law that authorises the PRISM programme inadequately protects the rights of users, particularly users outside the United States, and it is imperative that the US honour its human rights obligations and discontinue this type of surveillance,” added Massé.
The European Parliament has already called for safe harbor to be suspended and the Commission will now come under even more pressure to ditch the deal.
“It is unacceptable that the Commission has ignored this demand for a year and a half. We need robust, common data protection rules for the EU, which can also be applied to internet operators and the online sector from the US. To this end, we need to swiftly agree the reform of the EU's data protection laws to ensure strong and implementable individual rights," said MEP Albrecht.
In his opinion Bot says that although national data protection authorities are legally bound by the Commission deal, countries must be able to “take the measures necessary to safeguard the fundamental rights protected by the Charter of Fundamental Rights of the EU, which include the right to respect for private and family life and the right to the protection of personal data”.
The final ruling by 15 judges of the highest court in the European Union is expected later this year. ®