EU-US data-sharing contradicts protection rules and breaches privacy

European Court of Justice delivers landmark assessment ahead of full ruling

 

The advocate general of the European Court of Justice has said the mass transfer of EU user data to the US by companies such as Facebook contradicts EU data protection laws and represents a breach of the fundamental right to privacy.

In a preliminary and non-binding assessment ahead of a full ruling, the Luxembourg court’s advocate general Yves Bot recommended that the court invalidate the existing “Safe Harbour” rules.

He also criticised the European Commission for permitting ongoing data transfer under existing “Safe Harbour” provisions, despite its concerns over the use of the data following revelations by whistleblower Edward Snowden.

“Although it was aware of shortcomings,” he wrote in a 45-page opinion, “the Commission neither suspended nor adapted that decision, thus entailing the continuation of the breach of the fundamental rights of the persons whose personal data was and continues to be transferred under the safe harbour scheme.”

The final verdict on this case, expected as early as next month, could have far-reaching consequences for EU-US diplomatic and trade relations, as well as ongoing talks on a transatlantic free-trade agreement.

If the court follows its advocate general, it could also mean radical change for how the Irish DPC supervises US high-tech multinationals based in Ireland, including Facebook. The ECJ case arose from a complaint by Austrian privacy campaigner Max Schrems to the Irish data protection commissioner (DPC), on foot of claims by Edward Snowden that Facebook and other US multinationals were facilitating widespread surveillance by sharing - directly and indirectly - user data with US intelligence.

The DPC declined to take on the Schrems case, saying it had no legal requirement to do so. Mr Schrems took a judicial review of the DPC decision to the High Court in Dublin, which asked the ECJ for clarification on the existing “Safe Harbour” provisions for such transfers.

These allow US companies transfer EU citizen data to the US by “self-certifying” that this information will be handled with “adequate” privacy standards specified by the commission. Under close questioning by the court in March, however, the European Commission conceded that it cannot guarantee EU citizens’ fundamental right to privacy when their data is transferred to the US under “Safe Harbour”.

Counsel for the EU executive added that the US was under no legal obligation to meet European privacy standards, nor did Brussels have any means of insisting that it did so via 15-year-old “Safe Harbour” provisions.

In an initial reaction, Mr Schrems said “it seems like years of work

could pay off”. “Now we just have to hope that the judges of the Court of Justice will follow the advocate general’s opinion in principle,” he said.

In his assessment, the advocate general criticised the commission for not examining how the Safe Harbour provisions were implemented in practice, and for allowing data transfers to continue while it negotiated new data transfer rules with US authorities.

“Where the examination of practice reveals that the arrangements are not working correctly, the Commission must take action and, where appropriate, suspend its decision or adapt it without delay,” he added.

In a wide-ranging opinion, the advocate general said the privileged status afforded the US through safe harbour was thus a violation of EU law.

Permitting EU citizen data to be fed into US mass surveillance systems contradicted both the standards of the EU’s own data protection directive, the advocate general said, and the EU Charter of Fundamental Rights. The advocate general called for the court to end the privileged status enjoyed by US companies under Safe Harbour.

The advocate general also called for greater rights for national data protection commissioners to investigate complaints by EU citizens that their data protection and privacy rights are being breached.

While the DPC told Mr Schrems it was unable to act on his concerns, as it was bound by the Safe Harbour, Mr Bot said it “must be possible for transfers of personal data to the United States to be suspended at the initiative of the national supervisory authorities or following complaints lodged with them”.