The 2000 Safe Harbour deal, which allows US and EU companies to transfer freely EU citizens' data to the US, looks set to be quashed by the European Court of Justice.
According to an opinion written by an advisor to the ECJ – the EU's top court – the Safe Harbour agreement fails to adequately protect information on EU citizens when it is stored and processed in the US.
Yves Bot, ECJ advocate general, published the opinion yesterday. He was concerned about US intelligence services being given access to data about EU citizens held by US companies such as Facebook and Google.
“The access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the Charter,” Bot said in his opinion.
Bot believes that the agreement should have been suspended following Edward Snowden's revelations about the NSA's mass collection of communications.
The opinion is not binding on the court but the advice is generally followed.
The case originated when Austrian privacy activist Max Schrems sued Facebook in the Irish courts. The Irish High Court refused to hear the case and it was escalated to the ECJ.
Schrems claims that personal data is unprotected when transferred to the US, in violation of EU data protection laws.
According to Reuters, the opinion has been described as “trenchant” and would allow national data protection authorities to suspend data transfers to third countries if they suspected that EU private data could be compromised.
International companies rely on the Safe Harbour agreement to allow them to transfer data about staff and customers between countries. The agreement also underpins the multi-billion international advertising and direct marketing industries.
In a statement, DigitalEurope – which represents the represents the digital technology industry in Europe – warned of the potential disruption to international data flows if the ECJ were to follow this opinion.
“In addition to the disruption a Court ruling would have on international data flows, it would also frustrate the creation of the Digital Single Market in Europe because it would fragment Europe's approach to data flows out of the EU,” said John Higgins, Director General of DigitalEurope.
According to DigitalEurope, the agreement is used by 4500 companies to allow transatlantic transfers of staff and customer information.
Sundaram Lakshmanan, VP of Technology at cloud security firm CipherCloud commented: “The CJEU's opinion to invalidate the safe harbour agreement between the EU and US is based on flawed logic. In the aftermath of Snowden's disclosures, US tech firms have strengthened their technologies and policies to better protect customers. Stronger privacy controls, such as rolling out end-to-end encryption, thwart even technology makers' own ability to unlock data and devices. Meanwhile, US cloud providers are more aggressively rejecting requests for data and are fighting the US government in court to deny access to data belonging to EU citizens.
“Given these measures, it's hard to make a case that data isn't adequately protected. Overturning safe harbor would immediately cut off thousands of companies that rely on Safe Harbour from transferring business critical data internationally. It would be illogical to leave these companies without a Plan B and even worse, create precedence for balkanising the Internet.”
A final decision is expected from the court in four to six months.