The European Commission has conceded that it cannot guarantee EU citizens' fundamental right to privacy when their data is transferred to the US.
During intense cross questioning at the European Court of Justice, counsel for the EU executive said the US was under no legal obligation to meet European privacy standards, nor did Brussels have any means of insisting that it did so via 15-year-old “Safe Harbour” provisions.
These allow US companies transfer EU citizen data to the US by “self-certifying” that this information will be handled with “adequate” privacy standards specified by the commission.
"Under Safe Harbour as it is currently applied in the US there is no guarantee that fundamental rights of EU data subjects will be respected," said Mr Bernhard Schima, counsel for the commission.
The verdict on this case, due on June 24th, could have far-reaching consequences for EU-US diplomatic and trade relations, as well as ongoing talks on a translatlantic free-trade agreement.
Tuesday's oral hearing was a referral from the Irish High Court on foot of a complaint filed by Austrian privacy campaigner Max Schrems against the Irish Data Protection Commissioner (DPC).
He asked the DPC to investigate whether
had breached EU data rules by transferring his user data to the US where, according to whistleblower
, they were accessible to US intelligence via its “Prism” programme.
The DPC declined to take the case, saying it had no legal requirement to do so. In a judicial review of the DPC decision, the High Court asked the European Court of Justice in Luxembourg for clarification on the Safe Harbour provisions.
Mr Noel Travers SC, counsel for Mr Schrems, said the Safe Harbour provision was illegal when it was adopted 15 years ago and, in a nod to the Snowden revelations, “even more illegal today based on everything we have learned in the meantime”.
Allowing US intelligence agencies access to EU citizen data via US companies like Facebook represented an “indiscriminate general surveillance”, he said, that is “manifestly incompatible” with the right to privacy in the EU charter of fundamental rights.
"It is difficult to conceive of a more serious violation of fundamental rights to privacy," said Mr Travers.
Drawing on a 2014 court ruling striking down data retention inside the EU, Mr Travers said Safe Harbour allowed US intelligence agencies scrutinise data closely and was thus a “far more egregious breach of privacy”. Invalidating the Safe Harbour provisions would not put a stop to transatlantic data transfer, Mr Travers told the court, merely end the privileged status of some US companies.
Mr Paul Anthony McDermott SC for the Irish DPC, said the Irish commissioner was happy to deal with all complaints it received on the basis of the law but saw no legal basis to investigate the Schrems complaint.
“There must be a likelihood that principles are being violated but the evidence to date consists of newspaper reports about Mr Snowden’s revelations,” he said.
Mr David Fennelly SC for Ireland said it was “up to the European Commission . . . to make positive or negative findings about the adequacy of protection afforded to personal data in third countries”.
Counsel for the European Parliament countered this, suggesting the Irish DPC had failed to exhaust its powers by deferring to the European Commission. Mr Schima for the commission said the executive was in talks to rectify privacy concerns between the EU and US.
“The fate of the Safe Harbour decision should not be prejudiced while talks are ongoing,” he said.