US protection of Europeans’ personal data is inadequate, says EU court official
Rules for how US companies handle Europeans’ personal information under the Safe Harbour agreement do not ensure adequate protection of the data, the Advocate General of the Court of Justice of the European Union has advised in an opinion that threatens the operations of thousands of companies exchanging data between the European Union and the US.
Advocate General Yves Bot’s opinion could open the way for national governments across the EU to set their own standards for the protection of exported data, potentially disrupting the activities of thousands of companies, including social networks, search engines and payroll processors.
The opinion, on a case relating to the activities of Facebook, is not binding on the court, although the judges do typically follow such opinions.
Lobby group Digital Europe, which counts Google and Microsoft but not Facebook among its members, immediately expressed concern about what will happen if the court follows the Advocate General’s opinion.
In addition to business operations, such a decision could disrupt the EU’s plans for the digital single market, a set of harmonised e-commerce, copyright and privacy laws, and call into question model contract clauses on data sharing the world over, the group warned.
Bot’s opinion concerns the case brought before the irish High Court of Ireland by Europe-v-Facebook founder Maximillian Schrems. When Schrems failed to obtain satisfaction from the Irish Data Protection Commissioner regarding a complaint against the social network, he asked the court for a judicial review. As Facebook’s European office is basedin Dublin, under EU law the company must abide by Irish data protection legislation.
EU law also requires that companies exporting EU citizens’ personal data do so only to countries providing a similar level of legal protection for that data. In the case of the US, the exchange of personal data is covered by the Safe Harbour Privacy Principles, which the European Commission ruled in July 2000 provide adequate protection.
The Commission is renegotiating those principles with the US, but in Bot’s opinion should have suspended the existing agreement rather than allowing it to continue during the negotiations.
Welcome criticism
EDRi, the European Digital Rights lobby group, welcomed Bot’s criticism of the Commission’s inaction, adding that the Commission should never again be allowed to keep in force agreements that the group described as “patently illegal”.
Schrems triggered the case in 2013, when he became concerned by the revelations of NSA contractor Edward Snowden that intelligence services in the US were spying on data held there by companies such as Facebook. He filed a complaint that June with the Irish Data Protection Commissioner (DPC), disputing the level of protection the privacy principles offered data about him held by Facebook.
The DPC summarily rejected the complaint in July 2013, pointing to the Commission’s finding that the Safe Harbour principles followed by Facebook were adequate.
Schrems sought a judicial review of the DPC’s decision from the High Court in October that year and in June 2014 the High Court referred questions about the case to the Court of Justice of the EU.
In his opinion, Bot said the DPC should not have used the Commission’s ruling on the adequacy of the Safe Harbour principles as an excuse to avoid hearing Schrem’s complaint. Despite the ruling, national regulators should be allowed to determine such matters themselves, he said.
The CJEU’s judges have just begun to debate that and other matters referred to them. Their ruling, when it comes, will be binding on the High Court.
Schrems is pinning his hopes on Bot.
“It seems like years of work could pay off. Now we just have to hope that the judges of the Court of Justice will follow the Advocate General’s opinion in principle,” he wrote upon reading the opinion.
IDG News Service
Subscribers 0
Fans 0
Followers 0
Followers