EU-U.S. Data Sharing Deal Can't Be Trusted, Top Court Aide Says

Servers inside Facebook’s Prineville Data Center in Oregon.

Servers inside Facebook’s Prineville Data Center in Oregon.

Photographer: Meg Roussos/Bloomberg
  • Advocate General criticizes EU for not suspending EU-U.S. pact
  • U.S. companies such as Facebook may face greater scrutiny

American spies have almost unfettered access to information about European users of Facebook Inc. and other social media thanks to an illegal trans-Atlantic pact on data-transfers, an adviser to the EU’s top court warned on Wednesday.

Secret U.S. orders forcing technology companies to hand over personal data linked to EU citizens can’t continue under an “invalid” data-transfer accord struck 15 years ago, Advocate General Yves Bot of the Luxembourg-based tribunal said in a non-binding opinion. The EU court follows such advice in a majority of cases.

EU citizens “who are Facebook users are not informed that their personal data will be generally accessible to the United States security agencies,” said Bot. National data privacy watchdogs have the power, “where appropriate,” to suspend the transfer of such data to servers located in the U.S., including in the case concerning the data of European Facebook users, he said.

Unwarranted Interference

The EU Court of Justice should scrap the 2000 Safe Harbor decision because it doesn’t protect citizens from the 28-nation bloc enough from an “unwarranted interference” with their rights and a “large-scale collection of personal data,” he said.

The EU-U.S. data-sharing accord gives U.S. intelligence services “wide-ranging” access to EU citizens’ data that “must be considered to be particularly serious, given the large number of users concerned and the quantities of data transferred,” said Bot.

Those factors and “the secret nature” of the U.S. agencies’ access to such data via the servers of companies based in the U.S. “make the interference extremely serious.”

The EU’s top court has been weighing the validity of the data-sharing accord following revelations by former National Security Agency contractor Edward Snowden about U.S. government surveillance activities and mass data collection. An Irish judge last year called on the EU’s tribunal to decide whether the deal still protects privacy and whether national regulators have the power to suspend illegal data flows from the EU to the U.S.

Too Lax

Bot criticized the European Commission for having neither “suspended nor adapted” the decision even though “it was aware of shortcomings” all along. The commission has been in negotiations with the U.S. for two years in a bid to address its concerns with the Safe Harbor decision of too lax sharing of people’s personal data.

The Brussels-based EU executive arm said it “has been working tirelessly with the U.S. on the final details of a deal in the last weeks and we are confident that we can reach a positive conclusion soon,” according to an e-mailed statement Wednesday.

Austrian privacy activist Max Schrems triggered the case with a complaint he filed against Facebook with the privacy watchdog in Ireland, where the U.S. social network company has its European base. He alleged that Facebook’s Irish unit illegally handed over data to U.S. spies. Schrems had previously filed 22 complaints against the Menlo Park, California-based company.

Facebook, like other tech giants Google Inc. and Yahoo! Inc., have been reeling from the effects of the Snowden revelations in 2013. The companies have been trying to assure their users or customers that their products are secure and that they don’t willingly turn over data to the government.

NSA Surveillance

If followed by the court, it would mean that Facebook’s European branch in
Ireland “would be barred from processing its data in the U.S., but would have to process its data in a place where those data are not subject to NSA mass-surveillance,” Herwig Hofmann, a lawyer representing Schrems, told reporters at the EU court today. All U.S. companies would have to follow the same rules, he said.

Facebook “operates in compliance with EU Data Protection law. Like the thousands of other companies who operate data transfers across the Atlantic we await the full judgment," said spokeswoman Sally Aldous.

"We have repeatedly said that we do not provide ‘backdoor’ access to Facebook servers and data to intelligence agencies or governments,” she said.

All U.S. companies that are certified under Safe Harbor -- there are more than 4,000 such companies -- will be affected by the EU court’s decision, which should follow in the next four to six months.

DigitalEurope, a trade group that represents companies such as Apple Inc.,
Google Inc. and Microsoft Corp., said it is “concerned about the potential
disruption to international data flows if the court follows today’s
opinion,” according to a statement by John Higgins, its director general.

“If the safe harbor system is gone, it is very likely that the data protection authorities in the 28 EU member states will not allow data transfers to U.S. companies that are subject to mass surveillance laws,” said Schrems in an e-mailed statement. “This may have major commercial downsides for the U.S. tech industry.”

The case is: C-362/14, Maximillian Schrems v. Data Protection Commissioner.