Europe’s highest court issued an opinion on Wednesday saying that current data-sharing rules between the EU’s 28 member countries and the US are "invalid".
It was greeted simultaneously as a significant development in the battle over online privacy, and a looming headache for giant hi-tech firms.
Yves Bot, the influential advocate general for the European Court of Justice (ECJ), argued that the court should annul a long-standing data-transfer pact between the EU and the US, in a boost for privacy advocates who have urged the court to scrap it because of concerns over US surveillance practices.
A 15-year-old ‘Safe Harbour’ agreement between the EU and the US facilitates and simplifies the everyday business of US companies, allowing them to handle European personal data in the US as long as the firms annually self-certify that they abide by Europe’s stricter privacy laws.
Privacy campaigners have said this puts Europeans’ data at the mercy of US National Security Agency (NSA), which may harvest email and other private data.
“The access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data,” said Bot.
The decision, which is not final, could affect the current commercial practices of US multinational such as Facebook, Google and Apple, which routinely send Europeans' information across the Atlantic to servers in the US.
“Companies that participate in US mass surveillance and provide for example cloud services within the EU and rely on data centres in the US may now have to invest in secure data centres within the European Union,” said the plaintiff in the case, Austrian campaigner Maximilian Schrems.
“Currently this could be a mayor issue for Apple, Facebook, Google, Microsoft or Yahoo. All of them operate data centres in Europe, but may need to fundamentally restructure their data storage architecture and maybe even their corporate structure."
If the decision is adopted, it would put EU states in line with a Russian law that went into effect on 1 September, which requires tech companies to store personal data on Russian citizens on Russian servers.
Tech lobby groups said the judgement was a cause for concern. John Higgins, director general of the industry association DigitalEurope, which counts Microsoft, Google and Apple among its members, said, “In addition to the disruption a court ruling would have on international data flows, it would also frustrate the creation of the Digital Single Market in Europe because it would fragment Europe’s approach to data flows out of the EU.”
TechUK, an industry lobby in the UK, voiced similar concerns. "The approach that Europe takes to how data flows in and out of the EU will impact the global ambitions of data-driven companies in the UK and right across Europe," said Antony Walker, the body's deputy chief executive.
However the decision was cheered by privacy advocates. Joe McNamee, executive director of NGO European Digital Rights, said, "If confirmed by the full court, this is a very important first step for the right to privacy in Europe.”
The Commission will be bound to the upcoming ECJ decision, expected to be ruled on later this year, as will the EU’s 28 members.Background to Europe v Facebook
Schrems initially brought a claim against Facebook in Ireland, where Facebook's European headquarters are based, in 2013 arguing that, in the wake of Edward Snowden’s revelations about US intelligence agencies' mass collection of communications, users’ data is not sufficiently protected.
Snowden’s leaks showed the NSA used major web giants, including Apple, Google, Facebook and Microsoft, to gather user data.
The Irish data protection authority, which monitors compliance with privacy laws, rejected the claim, prompting Schrems to appeal to the ECJ.