A privacy campaigner has scored a legal victory that could bolster his attempts to prevent Facebook from being able to pass EU citizens’ data to the US authorities.
An opinion issued by the European Court of Justice says that current data-sharing rules between the 28-nation bloc and the US are “invalid”.
The decision could affect other tech firms’ abilities to send Europeans’ information to US data centres.
However, it is not a final judgement.
Although the EU’s highest court tends to follow the opinions of its legal adviser, the 15 judges involved have yet to issue a conclusive ruling of their own on the matter.
Even so, Max Schrems – the activist who prompted the case – suggests there could be far-reaching consequences.
“Companies that participate in US mass surveillance and provide, for example, cloud services within the EU and rely on data centres in the US may now have to invest in secure data centres within the European Union,” he said.
“This could be a major issue for Apple, Facebook, Google, Microsoft or Yahoo.
“All of them operate data centres in Europe, but may need to fundamentally restructure their data storage architecture and maybe even their corporate structure.”
A spokeswoman for the social network said: “Facebook operates in compliance with EU Data Protection law. Like the thousands of other companies who operate data transfers across the Atlantic we await the full judgement.”
The origins of Mr Schrems’ dispute with Facebook can be traced back to whistleblower Edward Snowden’s leaks about US cyberspies’ activities.
In 2013, Snowden released details about a surveillance scheme operated by the NSA called Prism, which provided officials with ways to scrutinise data held by US tech firms about Europeans and other foreign citizens.
Mr Schrems alleged that, in light of the revelations, EU citizens had no protection against US surveillance efforts once their data had been transferred.
He targeted Facebook in particular because of the wide range of data it gathered and the number of people using it.
However, when he took the case to Ireland – where Facebook’s European headquarters are based – it was initially rejected.
The Irish data watchdog said the Safe Harbour agreement between the US and EU prevented it from intervening.
When Mr Schrems challenged the watchdog in the Irish courts, the matter was referred to the European Court of Justice.
What is Safe Harbour?
The EU forbids the transfer of personal data to other parts of the world that do not provide “adequate” privacy protections.
But to make it easier for the US tech giants to function, it allows them to self-certify that they are carrying out the required steps, allowing the firms to avoid further checks.
More than 4,000 US companies make use of the Safe Harbour principle to facilitate data transfers.
Mr Schrems claims this gives them an unfair advantage over other firms that must “stick to much stricter” privacy rules.
The ECJ is expected to rule in the matter later this year.
The opinion, from one of its advocates general, is likely to influence that decision.
Yves Bot wrote that the Safe Harbour scheme did not contain “appropriate guarantees for preventing mass and generalised access” to EU citizens’ data once it had been sent to the US.
As a result, if there was evidence of “systemic deficiencies” in the way the US was treating that data, he added, then “member states must be able to take the measures necessary to safeguard the fundamental rights protected by the Charter of Fundamental Rights of the EU, which include the right to respect for private and family life and the right to the protection of personal data”.
Mr Bot concluded that data privacy watchdogs could indeed suspend data transfers to the US, despite the existence of Safe Harbour.
“This finding, if confirmed by the court, would be a major step in limiting the legal options for US authorities to conduct mass surveillance on data held by EU companies, including EU subsidiaries of US companies,” commented Mr Schrems.
Facebook publishes a limited amount of information about data handovers to the US authorities, but denies suggestions it freely shares access.
“We have repeatedly said that we do not provide ‘backdoor’ access to Facebook servers and data to intelligence agencies or governments,” said a spokeswoman for Facebook.
“As Mark [Zuckerberg] said in June 2013, we had never heard of Prism before it was reported by the press and we have never participated in any such scheme.”
The Safe Harbour framework itself is currently being renegotiated by the EU and US.
But industry lobby group TechUK has voiced concern that the ECJ’s eventual ruling could cause “disruption”.
“The approach that Europe takes to how data flows in and out of the EU will impact the global ambitions of data-driven companies in the UK and right across Europe,” commented Antony Walker, the body’s deputy chief executive.
“Thousands of companies, employing tens of thousands of people in the UK alone, rely upon Safe Harbour every day.”