A European court is set to upend a long-standing data privacy agreement with the U.S., throwing into turmoil the basis under which American Internet companies have operated in the European Union for a decade and a half.
If the Wednesday opinion, written by the European Court of Justice Advocate General Yves Bot, is confirmed by the court — as is the usual practice — it will be binding in all 28 E.U. countries. It will enable national privacy regulators in E.U. member states to ignore the June 2000 U.S.-E.U. Safe Harbor Agreement on data flows. Currently that deal requires them to treat self-certified American firms as if they were following strict E.U. laws on privacy.
Bot’s opinion comes in a long-running case brought by Austrian privacy activist Max Schrems against Facebook, following mega-leaker Edward Snowden’s 2013 revelations about the NSA’s PRISM program, under which the agency had direct access to data held by Facebook and more than a dozen other U.S. Internet companies. Facebook’s European headquarters are in Ireland, but it stores data from its European customers in the U.S. When Irish regulators declined to take up Schrems’ privacy complaint, citing the Safe Harbor deal, he brought his case to the ECJ in Luxembourg.
Bot’s opinion says, in effect, that the secret mass surveillance of the Internet by the NSA that Snowden revealed, invalidates the Safe Harbor agreement.
Schrems’ lawyer Herwig Hofmann told reporters at the court that if the opinion is confirmed, Facebook and any other U.S. company that collects data on E.U. citizens “would be barred from processing its data in the U.S., but would have to process its data in a place where those data are not subject to NSA mass-surveillance,” according to Bloomberg News.
Facebook denies that it grants access to user data to U.S. agencies except in response to court orders. The company “operates in compliance with E.U. Data Protection law. Like the thousands of other companies who operate data transfers across the Atlantic we await the full judgment,” spokeswoman Sally Aldous told Bloomberg.
The court generally takes four to six months to publish its own decision, and more than 4,000 U.S. companies are certified under the Safe Harbor deal.