Rules for how U.S. companies handle Europeans' personal information under the Safe Harbor agreement do not ensure adequate protection of the data, the Advocate General of the Court of Justice of the European Union has advised in an opinion that threatens the operations of thousands of companies exchanging data between the European Union and the U.S.
Advocate General Yves Bot's opinion could open the way for national governments across the EU to set their own standards for the protection of exported data, potentially disrupting the activities of thousands of companies, including social networks, search engines and payroll processors.
The opinion, on a case relating to the activities of U.S. social network Facebook, is not binding on the court, although the judges do typically follow such opinions.
Lobby group Digital Europe, which counts Google and Microsoft but not Facebook among its members, immediately expressed concern about what will happen if the court follows the Advocate General's opinion.
In addition to business operations, such a decision could disrupt the EU's plans for the digital single market, a set of harmonized e-commerce, copyright and privacy laws, and call into question model contract clauses on data sharing the world over, the group warned.
Bot's opinion concerns a rather convoluted case brought before the High Court of Ireland by Austrian citizen Maximillian Schrems. When he failed to obtain satisfaction from the Irish Data Protection Commissioner regarding a complaint against Facebook, he asked the court for a judicial review. He had made the complaint in Ireland because Facebook's European headquarters is there, putting its interactions with citizens of any EU country under Irish data protection law.
EU law requires that companies exporting EU citizens' personal data do so only to countries providing a similar level of legal protection for that data. In the case of the U.S., the exchange of personal data is covered by the Safe Harbor Privacy Principles, which the European Commission ruled in July 2000 provide adequate protection.
The Commission is renegotiating those principles with the U.S., but in Bot's opinion should have suspended the existing agreement rather than allowing it to continue during the negotiations.
EDRi, the European Digital Rights lobby group, welcomed Bot's criticism of the Commission's inaction, adding that the Commission should never again be allowed to keep in force agreements that the group described as "patently illegal."
Schrems triggered the case in 2013, when he became concerned by the revelations of NSA contractor Edward Snowden that intelligence services in the U.S. were spying on data held there by companies such as Facebook. He filed a complaint that June with the Irish Data Protection Commissioner (DPC), disputing the level of protection the privacy principles offered data about him held by Facebook.
The DPC summarily rejected the complaint in July 2013, pointing to the Commission's finding that the Safe Harbor principles followed by Facebook were adequate.
Schrems sought a judicial review of the DPC's decision from the High Court of Ireland in October that year, and in June 2014 the High Court referred questions about the case to the Court of Justice of the EU.
In his opinion, Bot said the DPC should not have used the Commission's ruling on the adequacy of the Safe Harbor principles as an excuse to avoid hearing Schrem's complaint. Despite the ruling, national regulators should be allowed to determine such matters themselves, he said.
The CJEU's judges have just begun to debate that and other matters referred to them. Their ruling, when it comes, will be binding on the the Irish High Court.
Schrems is pinning his hopes on Bot.
"It seems like years of work could pay off. Now we just have to hope that the judges of the Court of Justice will follow the Advocate General's opinion in principle," he wrote upon reading the opinion.