American spies have almost unfettered access to information about European users of Facebook and other social media thanks to an illegal trans-Atlantic pact on data- transfers, an adviser to the EU’s top court warned on Wednesday.
Secret US orders forcing technology companies to hand over personal data linked to EU citizens can’t continue under an “invalid” data-transfer accord struck 15 years ago, Advocate General Yves Bot of the Luxembourg-based tribunal said in a non- binding opinion. The EU court follows such advice in a majority of cases.
EU citizens “who are Facebook users are not informed that their personal data will be generally accessible to the United States security agencies,” said Bot. National data privacy watchdogs have the power, “where appropriate,” to suspend the transfer of such data to servers located in the United States, including in the case concerning the data of European Facebook users, he said.
The EU Court of Justice should scrap the 2000 Safe Harbor decision because it doesn’t protect citizens from the 28-nation bloc enough from an “unwarranted interference” with their rights and a “large-scale collection of personal data,” he said.
The EU-US data-sharing accord gives US intelligence services “wide-ranging” access to EU citizens’ data that “must be considered to be particularly serious, given the large number of users concerned and the quantities of data transferred,” said Bot.
Those factors and “the secret nature” of the US agencies’ access to such data via the servers of companies based in the US “make the interference extremely serious.”
The EU’s top court has been weighing the validity of the data-sharing accord following revelations by former National Security Agency contractor Edward Snowden about US government surveillance activities and mass data collection. An Irish judge last year called on the EU’s tribunal to decide whether the deal still protects privacy and whether national regulators have the power to suspend illegal data flows from the EU to the US.
Bot criticized the European Commission for having neither “suspended nor adapted” the decision even though “it was aware of shortcomings” all along. The commission has been in negotiations with the US for two years in a bid to address its concerns with the Safe Harbor decision of too lax sharing of people’s personal data.
The Brussels-based EU executive arm said it “has been working tirelessly with the US on the final details of a deal in the last weeks and we are confident that we can reach a positive conclusion soon,” according to an e-mailed statement Wednesday.
Austrian privacy activist Max Schrems triggered the case with a complaint he filed against Facebook with the privacy watchdog in Ireland, where the US social network company has its European base. He alleged that Facebook’s Irish unit illegally handed over data to US spies. Schrems had previously filed 22 complaints against the Menlo Park, California-based company.
Facebook, like other tech giants Google and Yahoo, have been reeling from the effects of the Snowden revelations in 2013. The companies have been trying to assure their users or customers that their products are secure and that they don’t willingly turn over data to the government.
If followed by the court, it would mean that Facebook’s European branch in Ireland “would be barred from processing its data in the US, but would have to process its data in a place where those data are not subject to NSA mass- surveillance,” Herwig Hofmann, a lawyer representing Schrems, told reporters at the EU court today. All US companies would have to follow the same rules, he said.
Facebook “operates in compliance with EU Data Protection law. Like the thousands of other companies who operate data transfers across the Atlantic we await the full judgment,” said spokeswoman Sally Aldous.
“We have repeatedly said that we do not provide ‘backdoor’ access to Facebook servers and data to intelligence agencies or governments,” she said.
All US companies that are certified under Safe Harbor there are more than 4,000 such companies will be affected by the EU court’s decision, which should follow in the next four to six months.
DigitalEurope, a trade group that represents companies such as Apple, Google and Microsoft, said it is “concerned about the potential disruption to international data flows if the court follows today’s opinion,” according to a statement by John Higgins, its director general.
“If the safe harbor system is gone, it is very likely that the data protection authorities in the 28 EU member states will not allow data transfers to US companies that are subject to mass surveillance laws,” said Schrems in an e-mailed statement. “This may have major commercial downsides for the US tech industry.”