Over 4,000 companies affected

Snowden revelations threaten U.S.-EU data transfer deal

A data-sharing agreement between the European Union and the United States should be invalidated after the revelation of mass surveillance programs uncovered thanks to the efforts of Edward Snowden in 2013, according to Advocate General for EU Court of Justice Yves Bot.

The agreement to which Bot refers is the Safe Harbor decision from 2000. It allows US companies to self-certify that they comply with EU rules governing the transfer of data related to European citizens to other countries, like the US.

“The access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data,” Bot stated in an opinion published this morning. This means Safe Harbor is “no longer adequate” and “the decision adopted in 2000 was no longer adapted to the reality of the situation.”

The opinion was published in response to a complaint brought against Facebook by privacy advocate Max Schrems, who says the personal data of European citizens has been made available to U.S. intelligence agencies via the social network.

Schrems has welcomed Bot’s recommendation, saying in response that “This finding, if confirmed by the court, would be a major step in limiting the legal options for US authorities to conduct mass surveillance on data held by EU companies, including EU subsidiaries of US companies,.” He also argues that invalidating Safe Harbor is a leveling of the playing field:

Self-certification under safe harbor gives US companies an extremely unfair advantage over all other players on the European market that have to stick to much stricter EU law. Removing ‘safe harbor’ would mainly mean that US companies have to play by rules that are equal to those their competitors already play by and that they cannot aid US mass surveillance.

It’s important to note that Bot’s opinion is non-binding, though the court is said to often side with the advocate general. Facebook wouldn’t be the only company affected by the invalidation of Safe Harbor, either; it would affect all companies that transfer data about European citizens to servers located in the US. The BBC reports that a decision like this could affect an estimated 4,000 companies.

In response to a request for comment, a Facebook spokesperson said the company “operates in compliance with EU Data Protection law.  Like the thousands of other companies who operate data transfers across the [A]tlantic we await the full judgement.” And, in response to complaints that data is transfers is given to US intelligence agencies through surveillance programs:

We have repeatedly said that we do not provide ‘backdoor’ access to Facebook servers and data to intelligence agencies or governments.  As Mark said in June 2013, we had never heard of PRISM before it was reported by the press and we have never participated in any such scheme.

The court’s judges are expected to make their own ruling later this year.