BRUSSELS — A deal easing the transfer of data between the United States and the EU is invalid, an adviser to the European Union's top court said on Wednesday, dealing a blow to a system used by Facebook, Google and thousands of other companies. The Safe Harbour agreement did not do enough to protect EU citizen's private information when it reached the United States, Yves Bot, Advocate General at the European Court of Justice (ECJ), said. While Bot's opinions are not binding, they tend to be followed by the court's judges, who are considering a complaint about the system in the wake of revelations from ex-National Security Agency contractor Edward Snowden of mass US government surveillance. In a trenchant ruling which will do little to heal frayed transAtlantic relations following the spying leaks, Bot also said national data protection authorities could suspend data transfers to third countries if they felt EU citizens' privacy was compromised. That would cause a headache for US companies operating in the EU, lawyers said. Many companies had hailed the 2000 Safe Harbour deal, saying it helped them get round cumbersome checks to transfer vital data, including payroll and human resources information, between offices on both sides of the Atlantic. “We are concerned about the potential disruption to international data flows if the Court follows today's opinion,” said John Higgins, Director General of DIGITALEUROPE, whose members include Apple, Cisco, Ericsson and Google. The case stems from a complaint filed by 27-year-old Austrian law student Max Schrems against Facebook, alleging the company was helping the US National Security Agency (NSA) harvest email and other private data by forwarding European customer's data to servers in the United States. The Irish Data Protection Commissioner, who watches over major tech companies' compliance with privacy laws since they are headquartered in Ireland, rejected the complaint, saying such transfers were allowed under the Safe Harbour framework. But the case was referred to the European Court of Justice (ECJ) after Schrems appealed. “It is apparent from the findings of the High Court of Ireland and of the (European) Commission itself that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection,” Bot said. The Commission should have suspended the framework following the Snowden leaks, he said. The United States and the Commission have been in talks for two years to strengthen the Safe Harbour framework amid calls for its suspension. Herwig Hofmann, a lawyer for Max Schrems, said he was “delighted” about the Advocate General's opinion. “If the United States doesn't change its laws in order to guarantee a minimum of data protection to European citizens, US companies will have to process their data in the EU,” told reporters at the court in Luxembourg. — Reuters
