Cybersecurity

EU opinion threatens to disrupt US data transfers

The key framework that companies use to legally funnel private data between the U.S. and the E.U. should be overturned in the face of ongoing American surveillance, a top advisor to the European Union’s high court said Wednesday.

Under the 2000 Safe Harbor agreement, U.S. companies can “self-certify” that their data privacy practices are equivalent to the more stringent E.U. regulations.

{mosads}In a non-binding opinion issued on Wednesday, Yves Bot, an advocate general for the European Court of Justice (ECJ), said the U.S. intelligence practices revealed by Edward Snowden render the protections of the Safe Harbor program invalid.

“Because the surveillance carried out by the U.S. is mass, indiscriminate surveillance … in those circumstances, a third country cannot in any event be regarded as ensuring an adequate level of protection,” Bot wrote.

If the court opinion is confirmed, the 4,000 U.S. companies that now rely on Safe Harbor to legally transfer data across the Atlantic will be left scrambling for alternatives.

Major tech companies like Google, Facebook, Twitter and others all rely on Safe Harbor to handle European personal data in the U.S.

The case is part of a larger debate between the E.U. and the U.S. regarding data privacy.

The E.U. regards the protection of its citizens’ personal information as a fundamental right, and the U.S. has been struggling to rebuild trust after the Snowden leaks revealed the breadth of the National Security Agency’s digital surveillance of U.S. allies.

Earlier this month, negotiators agreed to a so-called “umbrella agreement” that would allow the two sides to exchange more data during criminal and terrorism investigations. The agreement is contingent upon the passage of a bill that would give E.U. citizens the right to seek legal redress for privacy violations in U.S. court.

In his opinion, Bot hammered the U.S. for not providing E.U. citizens with their right to judicial redress under European law.

“The inability of citizens of the EU to be heard on the question of the surveillance and interception of their data in the United States amounts … to an interference with the right of EU citizens of the to an effective remedy,” Bot wrote.

Bot’s opinion originated in a case brought against Facebook by Austrian privacy activist Max Schrems in light of the Snowden revelations. Irish regulators declined to take up the case, citing Safe Harbor, and Schrems brought his case to the ECJ.

A final decision is expected sometime this year or next.