A data sharing agreement between the EU and U.S.—where the NSA engages in "mass, indiscriminate surveillance"—violates the fundamental rights of EU citizens and is invalid, an advisor to the EU's top court said Wednesday.
The opinion issued by Yves Bot, Advocate General of the European Court of Justice (CJEU), relates to the 2000 "Safe Harbor" agreement, which allows for the transfer of commercial data, including Facebook user data, from the EU to US companies that say they are in compliance with EU privacy laws. The Guardian adds: "The arrangement allows the NSA to use the PRISM surveillance system exposed by [NSA whistleblower Edward] Snowden to wade through billions of bits of personal data, communication and information held by nine internet companies."
The Irish Times sums up what Bot's opinion means:
To Facebook and other US companies collecting user data within the EU, the ruling was clear: you can either operate in Europe or you can collaborate with NSA surveillance, not both.
To the European Commission, an equally stark message: you are betraying the fundamental rights of EU citizens by continuing the "Safe Harbour" data sharing regime.
Reuters offers this background on the case:
The case stems from a complaint filed by 27-year-old Austrian law student Max Schrems against Facebook, alleging the company was helping the U.S. National Security Agency (NSA) harvest email and other private data by forwarding European customer's data to servers in the United States.
Facebook rejects the claim that it provided the NSA with "backdoor" access to its servers and would wait for the full judgment, a spokeswoman said on Wednesday.
The Irish Data Protection Commissioner, who watches over major tech companies' compliance with privacy laws since they are headquartered in Ireland, rejected the complaint, saying such transfers were allowed under the Safe Harbour framework.
But the case was referred to the European Court of Justice (ECJ) after Schrems appealed.
"It is apparent from the findings of the High Court of Ireland and of the Commission itself that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection," the CJEU statement (pdf) reads.
"The Advocate General considers furthermore that the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data," the statement adds.
"According to the Advocate General, that interference with fundamental rights is contrary to the principle of proportionality, in particular because the surveillance carried out by the United States intelligence services is mass, indiscriminate surveillance," it reads.
It's not a binding opinion of the full Court; however, Bloomberg reports: "The EU court follows such advice in a majority of cases." And digital rights groups see that potential ruling as huge.
"If confirmed by the full Court, this is a very important step for the right to privacy in Europe," said Joe McNamee, Executive Director of European Digital Rights, a Brussels-based coalition of privacy and civil rights organizations.
In an initial response to Bot's opinion, Schrems stated (pdf) that "it seems like years of work could pay off. Now we just have to hope that the judges of the Court of Justice will follow the advocate general’s opinion in principle."
"What happens next is crucial," McNamee added. "It must never again happen... that obduracy from the Commission can keep agreements or laws in force that are patently illegal."