Rules for how U.S. companies handle Europeans' personal information under the Safe Harbor agreement do not ensure adequate protection of the data, the Advocate General of the Court of Justice of the European Union has advised in an opinion that threatens the operations of thousands of companies exchanging data between the European Union and the U.S.
Advocate General Yves Bot's opinion could open the way for national governments across the EU to set their own standards for the protection of exported data, potentially disrupting the activities of thousands of companies, including social networks, search engines and payroll processors.
The opinion, on a case relating to the activities of U.S. social network Facebook, is not binding on the court, although the judges do typically follow such opinions.
Lobby group Digital Europe, which counts Google and Microsoft but not Facebook among its members, immediately expressed concern about what will happen if the court follows the Advocate General's opinion.
In addition to business operations, such a decision could disrupt the EU's plans for the digital single market, a set of harmonized e-commerce, copyright and privacy laws, and call into question model contract clauses on data sharing the world over, the group warned.
Bot's opinion concerns a rather convoluted case brought before the High Court of Ireland by Austrian citizen Maximillian Schrems. When he failed to obtain satisfaction from the Irish Data Protection Commissioner regarding a complaint against Facebook, he asked the court for a judicial review. He had made the complaint in Ireland because Facebook's European headquarters is there, putting its interactions with citizens of any EU country under Irish data protection law.
EU law requires that companies exporting EU citizens' personal data do so only to countries providing a similar level of legal protection for that data. In the case of the U.S., the exchange of personal data is covered by the Safe Harbor Privacy Principles, which the European Commission ruled in July 2000 provide adequate protection.
The Commission is renegotiating those principles with the U.S., but in Bot's opinion should have suspended the existing agreement rather than allowing it to continue during the negotiations.
EDRi, the European Digital Rights lobby group, welcomed Bot's criticism of the Commission's inaction, adding that the Commission should never again be allowed to keep in force agreements that the group described as "patently illegal."
Schrems triggered the case in 2013, when he became concerned by the revelations of NSA contractor Edward Snowden that intelligence services in the U.S. were spying on data held there by companies such as Facebook. He filed a complaint that June with the Irish Data Protection Commissioner (DPC), disputing the level of protection the privacy principles offered data about him held by Facebook.
Sign up for CIO Asia eNewsletters.