X

EU data transfer deal with US may be illegal, says Europe's top legal counsel

Facebook and other US companies can not adequately protect EU citizens' data from government surveillance, says Advocate General Yves Bot.

Katie Collins Senior European Correspondent
Katie a UK-based news reporter and features writer. Officially, she is CNET's European correspondent, covering tech policy and Big Tech in the EU and UK. Unofficially, she serves as CNET's Taylor Swift correspondent. You can also find her writing about tech for good, ethics and human rights, the climate crisis, robots, travel and digital culture. She was once described a "living synth" by London's Evening Standard for having a microchip injected into her hand.
Katie Collins
3 min read

European Court of Justice in Luxembourg. European Commission

A 15-year-old pact that allows the transfer of data between the United States and European Union may be illegal, according to an opinion from the European Court of Justice's top legal counsel . The decision could have far-reaching consequences for Facebook, Google, Twitter and thousands of other US companies.

Countries should be able to prevent data about their citizens from being sent to the US if that data will be used in ways that violate citizens' rights, Advocate General Yves Bot said Wednesday in his recommendation to the ECJ. The "Safe Harbour" agreement, which helps companies comply with EU privacy laws when data is transferred to servers in the US, fails to protect the personal data of EU citizens from "mass, indiscriminate surveillance" by US intelligence agencies, Bot said. It's possible the agreement is illegal under the Data Protection Directive, a set of EU laws regarding the protection of personal data.

Bot's decision may force US companies to choose between operating in Europe or complying with requests from US law enforcement agencies -- including the NSA -- to hand over user data. The decision is not binding, but will inform the final European Court ruling, which is expected later this year.

The decision will inevitably cause headaches for US companies, about 4,000 of which currently benefit from Safe Harbour. It may also be interpreted as yet another sign that Europe is a regulatory minefield for US businesses. Bot's decision stems from a case involving Facebook, the world's largest social network, which has its European headquarters in Dublin, Ireland.

Following revelations from ex-NSA contractor Edward Snowden about US and UK government spying, Austrian law student Max Schrems filed a case in Ireland challenging Facebook's data collection in Europe. In spite of Facebook's protests, Schrems is adamant that the company cooperates with the NSA's mass data collection programme, known as PRISM.

"We have repeatedly said that we do not provide 'backdoor' access to Facebook servers and data to intelligence agencies or governments," said a Facebook spokesman. "As (CEO Mark Zuckerberg) said in June 2013, we had never heard of PRISM before it was reported by the press and we have never participated in any such scheme."

Irish courts dismissed the case and passed it onto European Court of Justice, due to the fact that the Safe Harbour agreement between the US, the EU and Switzerland was struck by the European Commission.

Bot on Wednesday agreed with Schrems claim that data being sent by Facebook and other companies to the US was not being adequately protected. "It is apparent from the findings of the High Court of Ireland and of the Commission itself that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection," the ECJ said in a statement.

In light of this, Bot decided that "the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data." These are rights enjoyed by all citizens of the EU in accordance with Article 8 of the European Convention of Human Rights. Bot has explicitly criticised the Commission's failure to protect these rights, saying "the Commission ought to have suspended the application of the decision".

"Facebook operates in compliance with EU Data Protection law," Facebook said. "Like the thousands of other companies who operate data transfers across the Atlantic we await the full judgment."

"After an initial review of the advocate general's opinion of more than 40 pages it seems like years of work could pay off," Schrems said in a statement Wednesday. "Now we just have to hope that the judges of the Court of Justice will follow the advocate general's opinion in principle."

The European Commission said it does not comment on ongoing cases.