In a decision that could affect the flow of data from Europe to the U.S., a senior European Union legal official has advised the EU's Court of Justice that the U.S. cannot ensure adequate privacy protections of European Facebook subs' information transferred to U.S. servers due to mass government surveillance and that a 2000 safe harbor agreement that suggested the U.S. did provide that adequate security is invalid.
Advocate General Yves Bot was providing guidance to the court, which had asked whether that safe harbor agreement precluded investigating a complaint that, in light of the Edward Snowden revelations about NSA surveillance activities, the U.S. offered no real protections, the safe harbor agreement notwithstanding.
AG Bot said that it was clear that "the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection."
In addition, Bot said that "the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data," and that EU citizens' inability to be heard in the U.S. about their concerns over surveillance interferes with their right to an effective remedy to surveillance that is "Mass" and "indiscriminate."
The European Commission is currently negotiating with the U.S. on some of the safe harbors "shortcomings," Bot concedes, but says the EC should have suspended that safe harbor decision since by the very fact of negotiating new protections it was conceding the 2000 decision was no longer "adapted to the reality of the situation."
Bot's opinion is not binding on the Court of Justice.
Jeff Chester, executive director of the Center for Digital Democracy, called the decision "a powerful rebuke against the way U.S. data companies gather information from the EU; raises the legality of the so-called data exchange agreement between the U.S. and EU (Safe Harbor) and sets stage for a court ruling that could overturn that agreement."
“The Advocate General’s opinion puts the nail in the coffin of Safe Harbor," said European consumer group BEUC. "This agreement fails to protect European’s personal data. We hope the European Court of Justice will follow this line and stop the mass-circumvention of EU data protection rules. We welcome the Advocate General’s point of view that national data protection authorities have the responsibility to investigate infringements committed by foreign companies under Safe Harbor. The European Commission, which is currently renegotiating Safe Harbor, received today a clear message that the transfer of European citizens’ data cannot be based on self-assessment by U.S. companies.