Data sharing rules between the European Commission (EC) and US are ‘invalid’ as they do not prevent the risk that data collected by companies such as Facebook on EU citizens will be monitored by the US government.
This was the ruling made by the EC attorney general to the Court of Justice in a case that was brought by Austrian privacy campaigner Max Schrems against Facebook, dating back to 2013.
The opinion is not binding but usually the Court of Justice follows the attorney general's ruling. If so, the decision could have huge rammifications for US tech firms such as Google, Facebook and Microsoft over how they transfer data from the EU.
The attorney general Yves Bot ruled this week that, despite the Safe Habour agreement between the EC and the US, national data protection authorities do have the right to prevent data transfers to the US.
"The existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the national supervisory authorities’ powers under the directive on the processing of personal data," he noted.
Furthermore, Bot wrote that it is clear from the Edward Snowden revelations that the EC’s rules do not provide EC citizens with “effective judicial protection” once their data leaves the EU.
“The access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the Charter,” he said.
“Likewise, the inability of citizens of the EU to be heard on the question of the surveillance and interception of their data in the United States amounts, in the Advocate General’s view, to an interference with the right of EU citizens of the to an effective remedy, protected by the Charter.”
Furthermore, the opinion said that the “indiscriminate surveillance” carried out by the US was an interference with EU citizens’ rights.
A Facebook spokesperson said the company would apply with European data protection laws as required.
"Like the thousands of other companies who operate data transfers across the Atlantic we await the full judgment," they added.
Schrems first brought his case against Facebook in light of the revelations by Snowden in 2013 that the US government was engaged in huge surveillance campaigns. Schrems argued this undermined the rules that govern data transfers.
The Irish Data Protection Authority first rejected the case, arguing that the EC's Safe Harbour deal with the US, which allows firms to self-certify that data is adequetely protected when taken from EU soil, was binding.
However, Schrems appealed this decision with the Irish high court, which in turn asked the EC Court of Justice for its opinion.
Schrems welcomed Bot's decision, arguing it was a vindiciation of "years of work" to get the case to the EC, although he noted that it was still far from binding.
"Now we just have to hope that the judges of the Court of Justice will follow the advocate general’s opinion in principle,” he said.
Not everyone was so upbeat on the ruling, though. Antony Walker, deputy CEO of techUK, said that any disruption to international data flow could hurt the UK's digital economy.
"The approach that Europe takes to how data flows in and out of the EU will impact the global ambitions of data-driven companies in the UK and right across Europe," he said.
"Thousands of companies, employing tens of thousands of people in the UK alone, rely upon Safe Harbour every day, for example to move HR data between their European and US operations."
While the ruling could have a major impact on EU-US data sharing, there are already efforts underway to create new rules to allow this passage of information to continue.
Furthermore, with the US pushing a case against Microsoft that could see it given the legal right to access any data stored on servers on EU soil, EU citizens still may not be free from the risk of having their data snooped on by overseas agents.
FBI briefing US companies to dump Kaspersky, claiming intelligence prove it a 'threat to national security'
Kaspersky rejects FBI accusations that its products are a 'threat to national security'
But breached contractor says that it simply didn't have that much data
EE follows Three in threatening legal action against Ofcom - but for entirely different reasons
The One X is already sold out at several retailers