Europe’s highest court will rule this week on whether it “likes” the legality of an international agreement which allows US corporations such as Facebook, eBay, Google and Amazon to transfer European customers’ personal data to America where critics say it is shared with US intelligence agencies. The landmark ruling is set to shape international regulations over access to, and ownership of, individuals’ online information.
In a recommendation to justices hearing the case at the Court of Justice of the European Union (CJEU), the court’s advocate general, Yves Bot, recommended ruling that the “Safe Harbour” agreement – the US-EU data transfer agreement which is meant to protect individuals’ privacy – was “invalid”. In his report he said: “The revelations about the practices of the United States intelligence services as regards the generalised surveillance of data transferred under the safe harbour scheme have shed light on certain insufficiencies [of the agreement].”
His judgment is not binding on the court but is often followed.
The case was brought by Max Schrems, an Austrian law student. He brought the case after US whistleblower Edward Snowden revealed the US National Security Agency was routinely intercepting data from emails, social media and telephones, including EU citizens’ data information transferred to the US.
He brought the case in Ireland where Facebook’s European headquarters are based, arguing his privacy should have been safeguarded against security surveillance. He took the case to the CJEU after the Irish regulator declined to intervene. He argued the “safe harbour” protections – which state that US data protection rules are adequate if information is passed by companies that “self-certify” they abide by EU privacy rules – because America no longer qualifies for such a status. “The promise of a higher level of data protecting is being betrayed by [Europe] to serve business interests,” Mr Schrems has said.
He has asked the CJEU to declare Facebook’s “safe harbour” designation under EU law should be cancelled and that the Irish DPC should audit the exchange of information rather than allowing it to be transferred unscrutinised.
If the CJEU finds against the agreement, there will huge cost implications for the company and others like it. Experts warn an adverse ruling could dramatically increase the costs of satisfying each individual country’s privacy laws and make companies vulnerable to legal action wherever their websites are targeted. Facebook has already faced a number of privacy cases across Europe where data protection watchdogs have argued national privacy laws have been breached. The ruling could strengthen their powers to enforce local rules.
The US government denied it carried out mass surveillance on EU citizens and said it was directed only at lawfully approved foreign intelligence targets. Supporters of the safe harbour agreement claim the court should not be able to overturn it once the European Commission has approved it.
The US Federal Trade Commission, which is responsible for policing US companies which transfer data across the Atlantic, has been criticised for failing to police properly the companies involved in it. According to a 2013 European Commission document, as many as one in 10 of US companies that claim to be covered by the agreement were not registered with it. The Commission is understood to be meeting on 6 October to discuss the ruling. On 2 October, the Irish government urged the Commission and the US to settle a new citizen data transfer deal quickly. The case is highly sensitive for Dublin because Facebook and many other US tech companies have their European headquarters in Ireland and are regulated by Irish data protection authorities.